Here's some info I put together regarding finding and strengthening the passwords on your system:
Finding Weak Passwords (The Easiest Method):
Log in to SSH as root and run this:
Code:
find /home/ -type f -wholename '*pwcache/*' -exec grep -Hi strength {} \; | awk -F ':' '{print $NF,$0}' | sort -n
That will show you the strength of many (but not necessarily all) email passwords on the system, sorted by by the strength as determined by cPanel. The output will look something like this:
Code:
60 /home/user1/etc/[I]example.com[/I]/@pwcache/[I]info[/I]:strength:60
82 /home/user2/etc/[I]example.com[/I]/@pwcache/[I]postmaster[/I]:strength:82
82 /home/user3/etc/[I]example.com[/I]/@pwcache/[I]postmaster[/I]:strength:82
86 /home/user4/etc/[I]example.com[/I]/@pwcache/[I]orders[/I]:strength:86
The first (and last) numbers are the strength of the password. Near the end, you'll find the local part of the email address (i.e.
[email protected]), and somewhere near the middle you'll see the domain. Users with very weak passwords should be forced to change their password. Before you force anyone to change their passwords, make sure you've read the section at the bottom titled "
Upgrade Your Hashing Algorithm".
Testing Account Passwords:
If you
really want to find the weak passwords, round up all the shadow files and run them through "John the Ripper" with the rockyou.txt wordlist. That's Script Kiddie 101, so anything that fails here is dangerously weak. I won't go through how to use "john" (there are plenty of guides), but to collect the contents of all shadow files in one go, use:
Code:
find /home/ /etc/ -type f -name 'shadow' -exec grep '\$' {} \; | sort | uniq > allshadow.txt
Everything will now be in the file "allshadow.txt". Run john on that file, and any accounts that are cracked should be asked to change their passwords. There are many password lists to test against, (rockyou.txt possibly being the most comprehensive), so try a few. It would be a good idea to cross-reference the output obtained from "The easiest method" above, and see what strength of passwords you are able to crack. Set your minimum password strength above this number. Before you force anyone to change their passwords, read the next section...
"Upgrade" Your Hashing Algorithm:
This section perhaps should have come first, but since it would have slowed down the password cracking in "
Testing Account Passwords", I saved it for last. Slowing down password cracking is of course the reason you want to do this
If you're running CentOS/RHEL 5, chances are your passwords are hashed with md5. As of cPanel 11.34, cPanel supports sha512 for password hashes. Once you've increased the minimum password strength to prevent new bad passwords, it would be a good idea to "upgrade" the password hashing algorithm to sha512. First, check which algorithm you're using by running this as root in SSH:
Code:
authconfig --test | grep hash
If it says you're using md5, run the following to switch to sha512:
Code:
authconfig --passalgo=sha512 --update
Now, all
new passwords will be hashed with sha512. Users with weak passwords should now be asked to change their passwords.
I hope this helps!
