Creating User Passwords

by mike on June 19, 2010

Creating User Passwords

The “-p” useradd option allows you to create a password at the same time that you create a user
account. However, for two reasons, it’s an option that you really don’t want to use. First, it
doesn’t hash the password. So, when you look in the “/etc/shadow” file, you’ll see the password
there in plain text. Second, by entering the password as part of a “useradd” command, it’ll show
up in your shell history, also in plain text. Your best bet is to ignore the “-p” option, and use
two separate steps to create the user account and the password.

useradd jane
passwd jane

The passwd command is used to create the password for each user. Users forget their
passwords. Often the administrator will be expected to reset those passwords. Looking up
passwords is not a possibility because they are encrypted in storage. A new password must be
created with the passwd command.

To reset the password for user john:

passwd john

Then you will be prompted to enter a password twice.

Password Control
The command usermod can be used to create several password aging attributes. Here are several
options:

-c comment description of the user

-d home_dir change the home directory
-e expire_date assign an expiration date in the MM/DD/YYYY format
-f inactivity number of days before account disabled
-g group change primary group
-G grouplist set the list of groups that the user is in
-l login_name change login name for user
-m used only with -d option, home contents copied to new home directory
-s shell indicate a new shell
-u user_id change user ID

Modify an account.
sudo usermod -e 05/01/2011 jane
The modified /etc/shadow shows the change to jane’s account.

jane:
$6$K0Y7yctA$kk2cxELHsfbDX4WMm4/XPMmuluzZoYMpTpzr7Um/E06iLO1xuyDtmgR7jk
ROwR 0iuWF65p7XEmpmCsHpPBmKP0:14769:0:99999:7::15095:

Check Password
The command chage -l can be used to show the status of a user’s password protection. Let’s say
you wanted to check the status of jane’s password.

chage -l jane
Last password change : Jun 09, 2010
Password expires : never
Password inactive : never
Account expires : May 01, 2011
Minimum number of days between password change :0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Choosing the correct password, as well as informing and enforcing password security for users is
an important task for the administrator. Security is built upon passwords, so close attention
should be paid to making passwords an effective tool in security.

Aspects of a Good Password

1. 8 characters or more
2. use numbers in the password
3. use letters in the password
4. use case in the password
5. avoid dictionary words

These five aspects are critical because software programs can employ “brute force” tactics to try
to guess passwords on your network. Using the five aspects above will make it more difficult to
crack your passwords. Security usually begins with most systems at the user level. One of the
most important aspects of user security is the user password. A lot of security can go down the
drain with poor passwords that can be easily cracked. Several important elements of a user
password are length of the password, randomness and the forced creation of new passwords at
regular intervals. Most users resist all of these elements.

The length of a password is directly proportional to the ease at which it could be cracked. As a
result all passwords should be at least 8 characters long. In addition, passwords should not be
based on dictionary words, they should be random. It is easier to crack passwords based on
dictionary words as cracking programs typically start with dictionary strings. One way to make
secure passwords is to create passwords from phrases that are common to you. For example in
the phrase ” I live at 101 Maple Street in Phoenix Arizona,” could be turned into the password
Ila101MiPA
This is a password built on the first letter of each word to create a secure password. Remember
Linux is case sensitive.

Password Management allows you to force changes in the password or have the account be
automatically disabled in a period of time. It is a good idea to force users to change their
passwords at regular intervals. Of course this is even more important for administrator’s to do as
well. The downside to this is that users forget their passwords if forced to change often making
possibly a worse situation.