Lost User Account Passwords

william edward triest wtriest at chemistry.ohio-state.edu
Wed Feb 2 18:08:57 UTC 2005


I think the best idea given the situation would be to set a new password 
and send them that new password.  I know this isn't what you wanted, but 
its what I have seen done.  I think keeping passwords elsewhere is a bad 
idea.

Thanks,
Bill

David Gavin wrote:
> On Wed, February 2, 2005 12:32, Tim Alberts said:
> 
>>I'm running apache on a FC3 linux box.  I'm trying to make user password
>>control more available.  I know the passwd command to change user
>>passwords.  My question is, if a user enters a password and they forget
>>it, how can they get the password back out of the system without just
>>re-entering a new one?
>>
>>Specifically, I'm using Linux-PAM with shadow passwords.  I don't want
>>to give users root access.  I'm really trying to create a cgi/bash
>>script that a user can enter their email address and it will email them
>>there password.  Seems like a simple thing to do, but I haven't seen a
>>command to retreive a current user password from Linux-PAM/shadow
>>passwords.  I could use a MySQL database to keep track of this stuff,
>>but I prefer to use the security that Linux already provides.  Plus,
>>then I've got plain text passwords in a database or even if I encrypted
>>them in the database, I have the passwords in two places and then
>>there's the risk of them getting out of sink (however small a risk).
>>
> 
> <SNIP>
> 
>  You can't recover the passwords from the passwd/shadow files. It's a
> one-way encryption scheme - you supply a password at login and the system
> encrypts it and compares the results with what is in the passwd/shadow
> file. It it matches, you're in. Brute force password crackers just keep
> trying strings from a dictionary hoping for a match. I've worked in
> UNIX/Linux for ~ 20 years and never heard of anyone actually decrypting a
> password string.
>  You could set up a front-end that saves the pw in a db and then changes
> it, but if a user bypasses it (using the passwd command) you'd no longer
> have their current password in the db.....
> 
> Dave Gavin
> 
> 





More information about the users mailing list