Auditing passwords is a worthwhile venture, particularly in an environment that deals with sensitive information. Because systems encrypt passwords when they store them, you really can't properly judge the strength of a password unless you try to crack it.
We suggest using a password-cracking tool such as John the Ripper. This tool works extremely well because it can crack MD5 passwords, which most systems currently use. In addition, it's much faster and more sophisticated than earlier password-cracking software such as Crack.
Once you've installed the tool, either from RPM or by compiling a copy yourself, you can set it to work. Keep in mind that John the Ripper uses a fair amount of CPU, but it will only use idle CPU time. However, copying the /etc/shadow file to a nonessential machine and running the tool on that, rather than a production machine, wouldn't be a bad idea either.
If you need to stop John the Ripper, press [Ctrl]C. You can resume cracking passwords from where you left off by using the following:
$ john -restore
This tool comes with a fair-sized dictionary of common passwords, which it uses by default. However, you can download any dictionary you want to use instead of or as complement to the existing dictionary. All you need to do is concatenate the default.lst file to the new dictionary.
In addition, it's a good idea to add words that are specific to your particular environment, including employee names, addresses, company name, etc.
To use a different dictionary than the default, use the following:
# john -wordfile:/tmp/dict.txt /etc/shadow
This runs John the Ripper against the passwords in /etc/shadow using the dictionary /etc/dict.txt.
To download the John the Ripper password cracker, visit the Openwall Project Web site.
Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.