Creating User Passwords

by Mike on June 19, 2010 · 2 comments

in Ubuntu Servers

Creating User Passwords
The “-p” useradd option allows you to create a password at the same time that you create a user account.  However, for two reasons, it’s an option that you really don’t want to use.   First, it doesn’t hash the password.  So, when you look in the “/etc/shadow” file, you’ll see the password there in plain text.  Second, by entering the password as part of a “useradd” command, it’ll show up in your shell history, also in plain text.   Your best bet is to ignore the “-p” option, and use two separate steps to create the user account and the password.

useradd jane
passwd jane

The passwd command is used to create the password for each user.  Users forget their passwords.  Often the administrator will be expected to reset those passwords.  Looking up passwords is not a possibility because they are encrypted in storage.  A new password must be created with the passwd command.

To reset the password for user john:

passwd  john

Then you will be prompted to enter a password twice.

Password Control
The command usermod can be used to create several password aging attributes.  Here are several options:

-c  comment           description of the user
-d  home_dir           change the home directory
-e  expire_date       assign an expiration date in the MM/DD/YYYY format
-f   inactivity            number of days before account disabled
-g  group                 change primary group
-G  grouplist            set the list of groups that the user is in
-l   login_name        change login name for user
-m                            used only with -d option, home contents copied to  new home directory
-s  shell                   indicate a new shell
-u  user_id               change user ID

Modify an account.
sudo  usermod -e 05/01/2011 jane

The modified /etc/shadow shows the change to jane’s account.

jane:$6$K0Y7yctA$kk2cxELHsfbDX4WMm4/XPMmuluzZoYMpTpzr7Um/E06iLO1xuyDtmgR7jkROwR 0iuWF65p7XEmpmCsHpPBmKP0:14769:0:99999:7::15095:

Check Password
The command chage -l can be used to show the status of a user’s password protection.  Let’s say you wanted to check the status of jane’s password.

chage -l jane
Last password change                    : Jun 09, 2010
Password expires                        : never
Password inactive                        : never
Account expires                        : May 01, 2011
Minimum number of days between password change        : 0
Maximum number of days between password change        : 99999
Number of days of warning before password expires    : 7

Choosing the correct password, as well as informing and enforcing password security for users is an important task for the administrator. Security is built upon passwords, so close attention should be paid to making passwords an effective tool in security.

Aspects of a Good Password
1. 8 characters or more
2. use numbers in the password
3. use letters in the password
4. use case in the password
5. avoid dictionary words

These five aspects are critical because software programs can employ “brute force” tactics to try to guess passwords on your network. Using the five aspects above will make it more difficult to crack your passwords.   Security usually begins with most systems at the user level. One of the most important aspects of user security is the user password. A lot of security can go down the drain with poor passwords that can be easily cracked. Several important elements of a user password are length of the password, randomness and the forced creation of new passwords at regular intervals. Most users resist all of these elements.

The length of a password is directly proportional to the ease at which it could be cracked. As a result all passwords should be at least 8 characters long. In addition, passwords should not be based on dictionary words, they should be random.   It is easier to crack passwords based on dictionary words as cracking programs typically start with dictionary strings.  One way to make secure passwords is to create passwords from phrases that are common to you. For example in the phrase ” I live at 101 Maple Street in Phoenix Arizona,” could be turned into the password

This is a password built on the first letter of each word to create a secure password. Remember Linux is case sensitive.

Password Management allows you to force changes in the password or have the account be automatically disabled in a period of time. It is a good idea to force users to change their passwords at regular intervals. Of course this is even more important for administrator’s to do as well. The downside to this is that users forget their passwords if forced to change often making possibly a worse situation.


Vacendak June 19, 2010 at 5:32 am

Missed a S in the example password Street

Hans Bezemer June 19, 2010 at 11:06 am

There is nothing special down here, since it is a summary of known “best” practices. Main problem: humans are incompatible with them. Yes, you can devise a scheme to make a password that is secure and easily remembered. Problem: with several passwords and ones you have to change every two weeks that will not do. Yes, you can *force* people to change passwords every six hours if you want to. Countermeasure: they will write it down. Better countermeasure: they will write it down where they have easily access to it. You can even *supply* passwords to people – same countermeasures apply. You address some issues concerning with passwords, but the list is long. Three strikes and you’re out: more calls to the helpdesk, lost productivity, the list is endless. Let’s face it: password are an old and fundamentally flawed technology.

Previous post:

Next post: