Securing Passwords - Good Idea?
From DaveG at Apple-X Net:
Link To Article/Tip
If you upgraded to Panther, here's how to fix your password security.
One of the biggest problems with account security in OS X in 10.2.x and lower was that the passwords were not truly shadowed and only paid attention to the first 8 characters of the password you entered. Not exactly a good thing. While we didn't hear a lot about this fact, and in truth, there wasn't a lot of info about it available, especially if you were not in certain very specific parts of the hacker scene, it could lead to some pretty major security problems. Luckily, Apple fixed this problem in Panther. If you did a clean install of Panther, then the problem is already fixed for you, no problem. The password now recognizes more than the first 8 characters entered and is stored using real unix shadowing. However, if you did an upgrade, then the old problem persists on your box. Let's fix that right now, it's real simple and a no brainer. It shouldn't take more than a couple of seconds and you won't even have to touch the terminal, unless you want to of course
For those of you who do not like playing around with the terminal or just prefer using GUI tools when possible, launch your System Preferences application. Next, choose the Accounts applet, which will bring you to the users and account editing screen. Click in the top password box and type any character. This will cause Panther to authenticate you. Enter your password in the authentication box that pops up. Once you have been authenticated, replace the password in the boxes with either a new password, or your old one. This will cause Panther to reset your password and by doing so, it will use the updated system features to do so. Close System Preferences. You're done.
For those of you who like the terminal, launch it and use the passwd program to reset your password. If you don't know how to do this, then view the passwd man entry, i.e. [DaveG@DaveG]~$]man passwd.
Example:
[DaveG@DaveG]~$]passwd [enter]
changing password for DaveG
Old password:MyPassword [enter]
New Password:NewPassword [enter]
Retype new password:NewPassword [enter]
[DaveG@DaveG]~$]
To break this down simply, everything that has been emphasized is what this program puts on the screen. [enter] means you should hit the enter/return key on your keyboard. *MyPassword* is your current password and *NewPassword* is the password you are entering now. All text except for the command prompt, i.e. [DaveG@DaveG]~$] that is not emphasizedis what you enter.
That's all it takes, and now your system is using full passwords and proper password shadowing for you account. If you have other accounts on your box, you will want to do the same thing for those accounts as well. Enjoy your more secure Mac.
Link To Article/Tip
If you upgraded to Panther, here's how to fix your password security.
One of the biggest problems with account security in OS X in 10.2.x and lower was that the passwords were not truly shadowed and only paid attention to the first 8 characters of the password you entered. Not exactly a good thing. While we didn't hear a lot about this fact, and in truth, there wasn't a lot of info about it available, especially if you were not in certain very specific parts of the hacker scene, it could lead to some pretty major security problems. Luckily, Apple fixed this problem in Panther. If you did a clean install of Panther, then the problem is already fixed for you, no problem. The password now recognizes more than the first 8 characters entered and is stored using real unix shadowing. However, if you did an upgrade, then the old problem persists on your box. Let's fix that right now, it's real simple and a no brainer. It shouldn't take more than a couple of seconds and you won't even have to touch the terminal, unless you want to of course
For those of you who do not like playing around with the terminal or just prefer using GUI tools when possible, launch your System Preferences application. Next, choose the Accounts applet, which will bring you to the users and account editing screen. Click in the top password box and type any character. This will cause Panther to authenticate you. Enter your password in the authentication box that pops up. Once you have been authenticated, replace the password in the boxes with either a new password, or your old one. This will cause Panther to reset your password and by doing so, it will use the updated system features to do so. Close System Preferences. You're done.
For those of you who like the terminal, launch it and use the passwd program to reset your password. If you don't know how to do this, then view the passwd man entry, i.e. [DaveG@DaveG]~$]man passwd.
Example:
[DaveG@DaveG]~$]passwd [enter]
changing password for DaveG
Old password:MyPassword [enter]
New Password:NewPassword [enter]
Retype new password:NewPassword [enter]
[DaveG@DaveG]~$]
To break this down simply, everything that has been emphasized is what this program puts on the screen. [enter] means you should hit the enter/return key on your keyboard. *MyPassword* is your current password and *NewPassword* is the password you are entering now. All text except for the command prompt, i.e. [DaveG@DaveG]~$] that is not emphasizedis what you enter.
That's all it takes, and now your system is using full passwords and proper password shadowing for you account. If you have other accounts on your box, you will want to do the same thing for those accounts as well. Enjoy your more secure Mac.
Comments
Originally posted by pensieve
No, securing passwords is not a good idea. What happens if you forget your password? It's best to leave them so you can figure it out if you forget it. Especially if you've got critical data on your computer.
If I am getting the gist of this correctly, the article is talking about taking advantage of the longer password length in Panther as opposed to the eight character limitation in Jaguar, not how you store your passwords.
Originally posted by Kickaha
*ahem* I believe he was being sarcastic...
You can't let it go for more than one post, can ya? You did the same thing to me in that thread about the packets clogging up ast3r3x's internet connection.
Yes, I was being sarcastic. Of course it's a good idea. What kind of silly question is that?
My apologies, mon frere!
From now on, I will willingly and willfully refrain myself from correcting when you bait the newbies, you insufferably sadistic bastard.
mcsjgs: Good catch on the article, thanks for the pointer, and please, ignore the cranky old guy in the corner mumbling to himself.
Originally posted by Kecksy
Anyone who forgets his or her password is an idiot who deserves to face whatever consequences result from his or her own stupidity.
hey.
Originally posted by mcsjgs
Humble newbie takes a licking and keeps on ticking
No offense intended. I'm just an ass sometimes. Feel free to ignore me if I'm sounding rude... I'm not really.
Originally posted by Kickaha
Oh shut up, yes you are.
From the posting guidelines:
Excessive ad-hominem attacks of forum members will not be tolerated. We understand that things get heated, but it helps to maintain a modicum of respect for the membership. Attack ideas, not people. Be open-minded and try to help foster meaningful discussion (yes, meaningful discussion is possible if everyone respects each other).
That's twice in this thread alone you've insulted me!
Oh, who am I fooling? I am an ass. I figure after 3000+ posts, I can be whoever I want....
Originally posted by pensieve
No offense intended. I'm just an ass sometimes. Feel free to ignore me if I'm sounding rude... I'm not really.
None taken. I was being excessively cautious in my response. All in good fun.
BTW on this securing passwords, it worked just fine for all the users on the machine except root. In root, it caused the root login (by name and password) to disappear from log-in window. I understand you can hold the shift key to see it, but I ended up with a large hassle in netinfo to get it back into the log-in window. So be warned.