Ubuntu uses per default md5 hashed passwords.
md5 is a 128bit hash and nowadays not too secure anymore.
http://en.wikipedia.org/wiki/Md5 has a description of hash collisions.
There is support for an alternate hash, blowfish. This has proven quite secure in openbsd.
To enable it, you have to install libpam-unix2.
Next replace all references of pam_unix.so with pam_unix2.so in all files under /etc/pam.d
apt-get install libpam-unix2
Note: The number of references in the files depends on installed pam modules.
In common-password add the following:
To enable password checks when changing passwords, install
password required pam_unix2.so nullok use_authok obscure min=9 max=72 blowfish
and add the following to your /etc/pam.d/common-password:
edit /etc/pam.d/common-password and add
apt-get install libpam-passwdqc
for a list of options look at http://www.die.net/doc/linux/man/man...asswdqc.8.html.
password required pam_passwdqc.so max=72 similar=deny enforce=everyone retry=2 ask_oldauthtok=update check_oldauthtok
Note: To finalize the changes, all passwords have to be reentered!!
If you restart at this point, you will be unable to log in again!
Set a new password with the passwd command ( can be the same as before, but it has to be reset to use the new hash!)
Problems: For those of you in trouble after a reboot:
you can boot to your system without a password, if you append a init=/bin/bash to your grub kernel parameter.
To enter that, type "e" at the grup prompt and you can edit the entry.
IMPORTANT: This does only secure Ubuntu passwords! You still can log in with things like knoppix or other methods like deskribed above!
For a fully secured system you have to encrypt harddrives!
There have been some problems (experienced by me and others) when using gnome-screensaver.
The problem relies in the libpam-unix2 package. It does not feature a equivalent for unix_checkpwd.
There are already bugreports at https://bugs.launchpad.net/ubuntu/+s...ix2/+bug/82518 and https://bugs.launchpad.net/ubuntu/+s...x2/+bug/106670.
Someone willing to try can compile the patch from novell and try out the unix2_checkpwd program and report back.