| You can test your users password security with many tools, for this guide we will be using John The Ripper(JTR).
Firstly install john the ripper,
wget http://www.openwall.com/john/f/john-1.7.0.2.tar.gz
tar -zxvf john-1.7.0.2.tar.gz
cd john-1.7.0.2/src
make generic
cd ../run
Now all we have to do is run the wordlist provided with John the Ripper against our password file which for linux is /etc/shadow (you will have to be root)
./john -wordlist:password.lst /etc/shadow
This will start the decrypting of your /etc/shadow file, just give it time and when it's complete you may view the passwords that were decrypted with
./john -show /etc/shadow
This will list in the format
username:password
If you get any results you should change those passwords immediately.
After you are finished, we will remove the .pot file as you ran this against your /etc/shadow if anyone ever found your .pot file they would have a quick and short list of passwords to brute force.
rm -rf john.pot
You should now be done, you can run the same test weekly against your passwords to make sure you should not have any passwords brute forced. While the .pot file is useful since it will get already guessed passwords quicker it also leaves a short list of passwords as stated above, so it's wise to remove and just wait longer.
|
