Finding a strong password is essential to keeping our Linux system secure. However, without password scoring applications, it's difficult to know if our password is strong. Learn about using an online web-based tool as well as the pwscore command to test passwords.
- [Instructor] Requiring strong passwords can make a huge impact on Linux security. Linux administrators have control over which character classes are required, and even how many characters are necessary. To give a demonstration on what makes a password strong, I'll use T-Q-B-F-J-O-T-L as an example password. This is a mnemonic password, meaning that I've created it to be easy to remember. 'The quick brown fox jumped over the log' equals the password T-Q-B-F-J-O-T-L.
You can use sentences like this to create strong passwords that aren't based on dictionary words. However, passwords with different classes of characters, like numbers, upper and lowercase letters, and punctuation, will be harder to crack. To make our password harder, we can mix in different classes of characters. For instance, our password could be: T-q-B-f-J-0-T-! I've replaced every other letter with a capital, and replaced the O with a zero, and I've replaced the L with an exclamation point.
There are websites to help us strengthen our passwords. Thus, point a web browser to: https://howsecureismypassword.net. If I type in the word 'password', P-A-S-S-W-O-R-D, we can see that it would get cracked instantly. If I type in our first mnemonic password of T-Q-B-F-J-O-T-L, we can see that it would take five seconds to crack. That's better, but still quite bad, even though it looks like a difficult password.
Let's try the same password with upper and lowercase letters, numbers, and punctuation. T-q-B-f-J-0-T-! The result is a password that would take nine hours to crack. We can see that adding mixed characters makes a massive difference in passwords. However, if someone wanted to get into your machine, they could, it would just take nine hours. Let's look at how much password length plays a part.
Let's add an exclamation point to the password. Adding an exclamation point takes it from nine hours, to four weeks. Add another exclamation point so we now have, T-q-B-f-J-0-T-!-!-!. It now says it would take six years to crack. On Linux, we have a tool to help us find strong passwords as well, called pwscore. In a terminal, type in, 'echo 'password' | pwscore', and hit enter.
This is taking the text inside the single quotes, and piping it to the pwscore command, which in turn, returns a password score. Obviously, this fails, as it's too weak. Now let's see what pwscore says about our six year password we used a minute ago. Type in, 'echo 'T-q-B-f-J-0-T-!-!-!' | pwscore', and hit enter.
This gets us a score of 41. Any password with a score of zero to 49, should be considered a moderately strong password. Passwords scores from 50 to 100 should be considered strong. To get a score of 50, we need to make it longer. Let's try by making our password a question. Did a quick brown fox jump over a log? Type in, 'echo 'd-A-q-B-f-J-0-T-l?' | pwscore', and hit enter.
And now we have a password score of 52. These tools can be invaluable in helping us find a strong password for our Linux systems.
- User account data files
- User password data files
- Group account files
- Group password files
- Converting to Shadow Suite
- Increasing password hash strength
- Changing default password policies
- Changing global user account defaults
- Managing individual users
- Switching users
- Elevating privileges using sudo
- Managing groups