Manjaro Installers - Password Weakness

security
password
passwd

#22

Ok, thanks (I knew there were more ways to do it, but since we are here, I thought I’d ask).

I checked the hash in /etc/shadow but how can I check just the salt?

For root there is only one number after the hash. Is that ok?


#23

The most important you don’t have two times the username.


#24

I tried to read /etc/shadow but was unable to access the file to verify that the change of password occurred correctly. I assume all is well as I followed the instructions in this thread, so I’m not overly concerned. My DE is KDE.


#25

You can red the file only with su(do) rights.


#26

For example with sudo cat /etc/shadow


#27

Thanks for showing me how to use cat in terminal! I learned something new today. For both the username and root rows in the file, neither username is repeated after :$6$ so it looks like I’m good to go.


#28

Good point. Is it possible to include something in the update so that every one has to go through one step during update. Like asking the people to confirm that they have made the changes appropriately.


#29

Thank you for this helpful information. Time to change password.


#30

After changing etc/shadow looks like this

username:$6$Y1szxfdd root:$6$root

I did not set a root passwd. AFAIK manjaro uses the root in the usual sense of linux, i.e root account is not activated unless you explicitly do so.

Is it fine , or do I have to change/set the root passwd too?


#31

Yes, especially the root password! And it is activated. I don’t know any Linux without root. Without sudo - yes.


#32

Ok I have set the root password. I am curious , if there was no root password set before, what was the hash value generated against ? . What hashing algorithm was used, I would like to find out what was there before I set the root password.
(Sorry for slightly going off-topic)

My understanding is that setting a root password is considerred unsecure if you don’t know what you are doing. To use root priveleges , you use sudo with admin password.


#33

@codeblooded

For a password to be well secured it needs to be encrypted using an unpredictable key, individual for each password. So a person who has access to some or other passwords cannot figure back the key for other accounts.

The problem here was the key followed a predictable pattern, so if you knew some password key you could figure out the following.


#34

After changing my password i am still seeing
USERNAME>:$6$< USERNAME>$
instead of
bob:$6$Xc7F0tzed.#f5P3r$::::


#35

Did you change it via the terminal with passwd (for your user) and sudo passwd (for root)?


#36

I wasnt using the right command, my bad. I changed them successfully.


#37

Thanks, I successfully changed both passwords.


#38

Can we just change them back to the same password and be safe???
I mean there is all that hashing and what not even though it is the same.

Gah, I hope this is not to necro. Did not see the date for some reason.


#39

It is still technically safe to use the same pass - this bug was about how it was stored/encrypted.


#40

Currently done a fresh install yesterday on 17.1.7 and my question is, has this been updated is is it still required?
Thanks


#41

The answer is given in the OP: