Password authentication is the most common way of securing access to some machine or service. It falls under Challenge-response authentication – a family of protocols in which one party (server) presents a challenge, and the other party provides a valid response (password) to authenticate itself. There are many types of challenge-response algorithms (like SCRAM), and while they’re fairly simple to use (for end-users) and provide a good level of security, they do not come without drawbacks.

In this article we’ll see what those drawbacks are, and in accordance to them, why you should use truly secure passwords. We’ll go over some ways on how to generate secure passwords on Linux too.

DRAWBACKS OF PASSWORD AUTHENTICATION

Weak passwords

Let’s start with the most obvious – weak passwords. Weak passwords are short, simple, or use dictionary words and personally identifiable information, like your pet’s name, your maiden name, and any other information that can easily be found and traced back to you. Think of the following passwords:

123456
password
qwerty
admin
monkey

Quite simple, right? These are actually one of the most commonly used passwords in the world, year in, year out! It takes a living person a couple of minutes at most to manually try each of these, while an automated script will try out hundreds of thousands of passwords like these every second.

So let’s add more complexity, both in character variation and length. Consider this password:

P@ssw0rD1234!!

6 additional characters, mixed upper and lower-case letters, some numbers and some special characters. Most website registration forms require all of these. And while it might look secure to you, that’s not quite true. Keep in mind that most brute-force attempts are automated. Combine that with dictionary attacks, rainbow tables and other password cracking methods, and you’ll soon come to realize that this password will be cracked in a matter of seconds, as scripts using various password databases either have many possible combinations of the „same” password in them, or just try out different combinations of characters at random.

What can we do to make a password even more secure? Add more complexity, and unpredictability. The latter point is the key – less predictable a password is, the longer it takes to crack it. Consider now the following password:

v(jA2T5=L+$]23t.

This is a computer-generated password. At 16 characters long, it could take more than 94! (94 factorial) tries to successfully crack it, if we take that it can use about 94 different characters, and characters can repeat themselves – check out factorials if you’re interested in more.

Keep in mind that the whole point of cryptography and security is to make it unfeasible, not impossible, to crack a password. It may very well be that the above password is the first one a script will try, at random.

We basically took care of the first drawback, just by using a 16 character long, random-generated password. But that password has to be saved somewhere, and has to be transmitted over a network. Here comes the 2nd drawback – man-in-the-middle attack.

Man In The Middle

A man-in-the-middle attack is basically an eavesdropper sitting in between 2 machines, listening in on their communication. If you were to send this password in plaintext (that is, unencrypted) over a network, an eavesdropper could easily intercept it and gain access to whatever it is you’re trying to secure.

One of the ways of protecting against that is hashing the password before it gets sent over the network. A hash function is a function that takes a data of arbitrary size and translates it to data of a fixed size. One of those functions is MD5. The same input will always produce the same output – if even one character changes, the hash value will be completely different. If we take the previous password and run it through an MD5 algorithm, we’ll get it’s hash value:

When you’re connecting to a server via SSH, for example, the hashed password is what gets sent over the network instead of the plaintext. Unfortunately, that hash can still be intercepted, and it can be reversed to it’s plaintext value, although that’s pretty difficult to do. Some challenge-response algorithms like SCRAM add a salt (a random value) to the password, so it’s even harder to figure out the plaintext.

Password storing and human factor

The third drawback is that the passwords have to be stored somewhere on the machine in order to check if the inputted password is valid. Luckily, Linux stores the password hashes instead of plaintext passwords (in /etc/shadow  file) so even if one password is compromised, an attacker can’t see any of the other passwords.

A user still has to remember a password, and the more complex it is, the greater the chances are that it will be written down somewhere – in plaintext. Hence, humans are, as usual, the weakest link in security. Having a password written down somewhere makes it much easier for an attacker to obtain it, rendering all crypographic methods used to secure passwords useless.

This is, of course, a very simplified overview of how password authentication actually works, and is not a detailed overview on the drawbacks, protocols and functions mentioned here. It should serve only as a case in point on why it’s important to use cryptographically strong passwords.

Now that we got the theory out of the way, let’s see how to create strong passwords in Linux.

CREATING STRONG PASSWORDS

Bash is powerful. There are as many methods of creating passwords on Linux as there are Linux flavors, if not more.

The most simple method would be to just hash some string of characters, and use that hash as a password. We can use the aforementioned md5sum  (or sha256sum , or any other hashing function) command to generate a hash:

This will create a hash of an arbitrary string and output the first 16 characters of it. If you want to use a longer or shorter password, just replace the 16 with the desired password length. The echo  at the end is just so you get the next prompt on a new line.

You can even run this through a base64  command to get a more varied result – and it would be preferable to do so as base64 uses both lowercase and uppercase letters:

Another method would be to use dd , and /dev/urandom , a native pseudo-random number generator:

This will use /dev/urandom as the input file for dd, which will read one byte at a time and output 32 input blocks (32 characters as the byte size is set to 1), then will encode the result with base64, and output the first 16 characters of that string.

Yet another method would be to use openssl's rand  – OpenSSL’s built in pseudo-random number generator:

This will produce a 16-bit long pseudo-random number, run it through base64, and once again output only the first 16 characters.

You can get really wild with combinations here. For example, use /dev/urandom to generate a random string, combined with tr  to get only the characters you want (this time with special characters included from OWASP special characters list), then output whatever length you desire:

USE STRONG PASSWORDS!

Though some security researchers and specialists advocate for a complete removal of password authentication, they are still very much in use today. When you consider how easily a password can be compromised, you’ll start to see the importance of using strong passwords. Use the commands from the examples above, or just play around with bash (or any other shell you might be using), and you’ll find at least 10 more ways of generating random strings that can be used as secure passwords. That is, of course, if you value the security of your server and your data, which you definitely should!