Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Version 10.3 or Later
41424344454647484950
Chapter 3 User Authentication With Open Directory 41
Different hash functions are used to encrypt shadow and crypt passwords. For crypt
passwords, the standard UNIX crypt function is used. Shadow passwords are encrypted
using several hash functions, including NT and LAN Manager.
Cracking Readable Passwords
Because crypt passwords are stored directly in user accounts, they are potentially
subject to cracking. User accounts in a shared directory domain are openly accessible
on the network. Anyone on the network who has Workgroup Manager or knows how
to use command-line tools can read the contents of user accounts, including the
passwords stored in them.
A malicious user, or cracker, could use Workgroup Manager or UNIX commands to copy
user records to a file. The cracker can transport this file to a system and use various
techniques to figure out which unencrypted passwords generate the encrypted
passwords stored in the user records. After identifying a password, the cracker can log
in unnoticed with a legitimate user name and password.
This form of attack is known as an offline attack, since it does not require successive
login attempts to gain access to a system.
A very effective way to thwart password cracking is to use good passwords. A
password should contain letters, numbers, and symbols in combinations that won’t be
easily guessed by unauthorized users. Passwords should not consist of actual words.
Good passwords might include digits and symbols (such as # or $). Or they might
consist of the first letter of all the words in a particular phrase. Use both uppercase and
lowercase letters.
Note: Shadow and Open Directory passwords are far less susceptible to offline attack
because they are not stored in user records. Shadow passwords are stored in separate
files that can be read only by someone who knows the password of the root user (also
known as the System Administrator). Open Directory passwords are stored securely in
the Kerberos KDC and in the Open Directory Password Server database. A users Open
Directory password can’t be read by other users, not even by a user with administrator
rights for Open Directory authentication. (This administrator can only change Open
Directory passwords and password policies.)
LL2352.Book Page 41 Friday, August 22, 2003 3:12 PM