Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.3: Make your password more secure System
In Mac OS X releases prior to 10.3, account passwords were always stored as hashes generated by the old Unix crypt function. One of its shortcomings is that passwords cannot be more than eight characters long: anything beyond eight characters is ignored. These password hashes are also stored directly in the NetInfo database, viewable by anyone with access to the system. This means a malicious user can grab everyone's encrypted passwords and run a password cracking program on them to try to gain further access.

One of the many improvements in Panther is support for longer passwords using a different hash algorithm (I'm not sure if it's md5 or something else). It also adds shadow password functionality, which means the encrypted password hash is not stored directly in NetInfo. Accounts with new passwords must authenticate using a special API in the DirectoryService Framework, which never reveals the encrypted password hash.

All new accounts created in Panther use the new password scheme by default, so there's nothing you need to do to enable it for them. But if you did an upgrade or archive install from a previous version of Mac OS X, your old accoutn passwords were carried over and used unchanged in Panther. To change your account to use the new password encryption is simple:

  1. Go into the Accounts Preference Pane
  2. Type your password into the Password and Verify fields. It will ask you to authenticate first, so also type your password into the sheet that pulls down.

That's it. You don't even have to change your password -- you can use the same one. But hey, maybe now is a good excuse to change it anyway? To verify that the change worked, follow these steps:

  1. Open /Applications -> Utilities -> NetInfo Manager
  2. Click on users and then click on your username.
  3. Check the passwd field. For old style passwords, you will see a string of characters. For new style passwords, you will see only ********.
  4. Also check the authentication_authority field. Old passwords will have ;basic; and new passwords will have ;ShadowHash;.
You can check this before and after to show that it really changed. Also if your password is eight characters long, you can verify that typing any number of characters after the eighth will still log you in before the change, but it will not work after.

Finally, note that some unix programs that need to authenticate users may not be updated to handle the new passwords yet. This hint shows one example.

    •    
  • Currently 3.00 / 5
  You rated: 5 / 5 (6 votes cast)
 
[21,362 views]  

10.3: Make your password more secure | 10 comments | Create New Account
Click here to return to the '10.3: Make your password more secure' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.3: Make your password more secure
Authored by: mikael on Nov 16, '03 05:39:18AM
I looked just at the Forums and I cant log in to Netinfo with my root account. Look here: http://forums.macosxhints.com/showthread.php?s=&threadid=17055 It look likes Netinfo cant handle the new shadowed passwords, so take it easy before you change to this new passwords, or else it will be the last thing you do in Netinfo, until Apple fix this or someone else... Mikael -(that cant log in to Netinfo from Root account)

---
Mikael

[ Reply to This | # ]

10.3: Make your password more secure
Authored by: PMUser on Nov 17, '03 12:01:42PM

Is there a way to change the root accounts password via this method? Perhaps log out and login as root and then follow these directions?



[ Reply to This | # ]
10.3: Make your password more secure
Authored by: andyinindy on Mar 28, '04 11:53:58AM

To update root's password to the new shadowhash style, just open a terminal window and type:

sudo passwd root

You will be prompted for an admin password, and then you can enter the new (or the same) password. When you check in Netinfo, you'll see that root is now using the new style password.



[ Reply to This | # ]
Seems to help SAMBA too
Authored by: bciesq on Nov 16, '03 05:59:51AM
Updating your password has the ancillary benefit of ironing out a few bugs in SMB. I came across the following at

http://www.macwindows.com/panther.html#reader

November 3, 2003

Darrell Kienzle has a fix based on the NetInfo Manager:

I read your discussion of problems with access to SMB shares in Panther. Here's something I discovered when working with one of the betas.

Fire up NetInfo Manager and browse to /users/yourname/passwd. The passwd _should_ be "******". This is a representation of a shadow password (a feature added in Panther). If you see something like "YW3273hhs," that's a standard hashed Unix passwd (which Jaguar used).

If you have a hashed passwd, use System Preferences to change your password (you can give it the same value it used to be). Reload NetInfo Manager and you'll see it has changed to "******"

I found that this helped enormously when trying to connect to Windows and SAMBA shares.

I can verify that updating my login password fixed a problem with my PowerBook failing to access shares at work on a Windows NT domain. FWIW, I connect via the cmd-k method (aka "connect to server") rather than browsing the "Network" entry in the sidebar as I like my servers showing up on the desktop as the good lord intended.

Sorry if this rambled too far off topic.

[ Reply to This | # ]

10.3: Make your password more secure
Authored by: mikael on Nov 16, '03 06:00:02AM

I got it to work, i did "update" one of my users to new shadowed password, and from that user it was no problems to log into Netinfo, but i still couldnt login from the root account, so i did look at the link that was mention in the tip, about copy and pasting "********" from that user there it worked to login to the netinfo, to the root account that only did have one *,
and after that i can login from my root account to netinfo... =)


---
Mikael



[ Reply to This | # ]
10.3: Make your password more secure
Authored by: sfn on Nov 16, '03 10:27:15AM

I just checked my netinfo account and on my upgraded jaguar it shows ******* as password and ;ShadowHash; without changing my password. My MySQL account does not. I don't recall changing nor verifying either of the other two accounts.

---
-sfn



[ Reply to This | # ]
10.3: Make your password more secure
Authored by: mike3k on Nov 16, '03 11:30:23AM

This has the disadvantage of making imapd unable to authenticate. I installed UW imapd according to an earlier hint, but since I'm only using it to archive my mail locally rather than allowing remote imap logins, I enabled password logins so I can use it easily from mail.app or Eudora.

When my password got changed from basic to shadow hash, I could no longer login to imapd until I changed it back and entered the old-style hash.



[ Reply to This | # ]
10.3: Make your password more secure
Authored by: testuser on Jan 29, '04 03:09:15PM

re: "I'm not sure if it's md5 or something else"

According to Apple documentation ;ShadowHash; uses sha1 encryption.



[ Reply to This | # ]
10.3: Make your password more secure
Authored by: testuser on Jan 30, '04 12:05:29PM

Sorry, scratch that.

sha1 does not produce the 104 byte strings used in the 10.3 hashes. These hashes are stored in /var/db/shadow/hash under the user's generateduid. The generateduid is a new user property in the NetInfo database under 10.3.

I don't know what algorithm is being used!



[ Reply to This | # ]
10.3: Make your password LESS secure
Authored by: HotButter on Mar 29, '04 01:05:20AM

Under 10.3.x by default all users get an NT4 samba hash which is a PIECE OF CAKE TO CRACK. The SHA1 hash is also there and apparently another longer hash as well but it makes little difference.

Under 10.2.x the NT4 hashes were only created if Windows sharing was turned on.

http://freaky.staticusers.net/ugboard/viewtopic.php?t=10834&highlight=



[ Reply to This | # ]