“Basic Security Recommendations
Identification and Authentication “ Current implementations of Linux are vulnerable through user passwords. Passwords are stored in clear text, meaning they are easily understood by any user that knows the password file location, and the default encryption tool for information does not meet the Government of Canada recommended encryption requirements. “
Well, it’s pretty clear they got that wrong:
- $ cat /etc/shadow
cat: /etc/shadow: Permission denied
- “/etc/shadow” contains the following.
As explained in shadow(5), each “:” separated entry of this file means the following.
Encrypted password (The initial “$1$” indicates use of the MD5 encryption. The “*” indicates no login.)
Days since Jan 1, 1970 that password was last changed
Days before password may be changed
Days after which password must be changed
Days before password is to expire that user is warned
see Chapter 4. Authentication (Debian)
So, quite wrong on the first point and the second partly true. MD5 is old and creaky but if your password is “sdfkui7y23,$@&&&xvhut3r” and the user/malware doesn’t have access to the password MD5 hashed, not encrypted, how are they to find any possible strings coming to that hash before being spotted? There’s also a “salt” added to the string before hashing so the job gets harder.
The usual standard in GNU/Linux is MD5:
“mkpasswd -S “frog37r3” -m md5
but SHA512 is available:
“mkpasswd -S “frog37r3″ -m sha-512
so, good luck cracking that mess without being noticed for failures. Really, trial and error would be just as good as getting the shadow password which is out of sight.
Indeed, Debian changed to SHA512 default hashing back in 2009:
“[ Kees Cook ]
* debian/local/common-password, debian/pam-configs/unix: switch from “md5”
to “sha512” as password crypt default.
So, the strength of the password is likely much more critical than the hashing of them. Debian tells us how to strengthen passwords, too.
I think this shows the Government of Canada is a little behind the curve in GNU/Linux and needs to open up to the standards of some European governments like Germany. Germany created their own GNU/Linux desktop for government use back in 2006. Germany isn’t spreading FUD about security of GNU/Linux. TFA from Canada was produced in 2010 using M$’s office suite and Adobe’s Distiller on that other OS.
Wake up Canada!