-1

How can I send one user list automatically 1 times a week via e-mail with all users and passwords from them per email ?

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Asmir
  • 1

1 Answers1

5

Leaving aside the question of whether this is a good idea (here's a hint, though: it's not), assuming you have a standard Linux system (ie, one that keeps the user data in /etc/{passwd,shadow}, there's a genuine technical problem.

Normal shadow passwords are stored hashed, which is to say, irreversibly-encrypted. It is not computationally-feasible to recover a decently-strong password from the hash stored in the shadow file.

It is possible to recover weak passwords, but only via a dictionary attack: you encrypt all possible weak passwords, with all salts used in your shadow file, and compare the hashes. If you find a match, you've recovered that weak password. Needless to say, this is fairly computationally intensive.

So the short answer is no. Unless you set all users' passwords for them, forbid them from changing them, and use that master list to send out the system passwords, it's not possible to do what you want.

If you want to learn more about password hashing, how it works, how passwords are validated when only a hash is stored, and what a salt is, you can read much more at a variety of places, including the wikipedia entry on unix passwords and the places it links to.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • +1. I agree with most of what you said, except the bit about it not being computationally feasible to crack strong password hashes. using a GPU (or multiple GPUs in one machine) is the current fad in the crypto scene, and people are building 4 and 8 GPU monsters that can try billions of passwords per second. http://hashcat.net/oclhashcat/ for example. it's only a matter of time. moore's law works for crackers too. – cas May 06 '11 at 10:56
  • 1
    I take your point, but you fail to address salting. The tool you point to claims to work against Linux MD5-hashed passwords, but makes no mention of modern SHA-512 hashes, and I suspect the difference in attack practicality is the amount of salt. I went back and looked at an old (RH73) system using MD5 hashing, and it has eight characters (say, 48 bits) of salt, whereas my modern (F14) desktop uses SHA-512 hashing and sixteen characters (say, 96 bits) of salt. 96 vs 48 bits of salt makes the brute forcing more than 10^14 times harder, and it's easier to add more salt than to speed up a GPU. – MadHatter May 06 '11 at 11:20