Summary: Password Security Question

From: Constantin Moldovan (
Date: Fri Nov 24 2000 - 07:13:01 CST

I've got 2 replies that were very useful.
Many thanks to Darren Dunham and Matthew Stier.

My original post:

 Hi List,
 Environment: Sun Solaris 7 using NIS
 On the passwd file for NIS (not on the local passwd file, here all entries
 have x in the password field)
 there are some entries which have an * instead of x in the password field
 telalert:*:1207:1207:TelAlert Paging on nnm & eftia:/tmp:/bin/true
 mailadmin:*:1301:1302:Mail Admin Mail Account:/tmp:/bin/true
 reporter:*:1303:110:SQL Reporter on DB:/usr/local/reporter:/bin/csh
 These entries do not have an equivalent on the shadow file.
 They are used for applications only, no real person is using them to login.
 What does * mean and why they do not use x in the password field?
 Is this a security breach?

Here are the replies:

From: Darren Dunham []

* is simply an "invalid" password, so no one can log in to the account

x is simply a token that means 'go look in shadow'.

> Should we replace the * with an x?

Only if you create a shadow entry and put a '*' in the password slot.

Remember, the only reason for the separate shadow file is so that normal
users can't see the users' password hash. Since this user's password
hash is '*', there's nothing to decrypt. There is no vulnerable

Darren Dunham                                 
Unix System Administrator                    Taos - The SysAdmin Company
Got some Dr Pepper?                           San Francisco, CA bay area
      < Please move on, ...nothing to see here,  please disperse >

From: Matthew Stier [] ==========================================================

It doesn't matter.

A encoded password entry will ALWAYS be 13 characters.

Since a blank password entry means the account has no password, a value has to be put into it. Since a valid encoded password is always 13 characters, putting any non-13 character string in the password field will result in a non-matchable string, and thus a locked account.

The asterisk character is typically used, since the encoding algorithm will not encode one. I actually any character, or string of characters that cannot be the result of encoding any password will work.

Since the facility I work at is small, we do not reuse accountnames or userids. To lock accounts, we use string of two asterisk, the date encoded as an 8 character string, and two more asterisks.


Thank you all, Constantin Moldovan

GT Group Telecom S U BEFORE POSTING please READ the FAQ located at N . and the list POLICY statement located at M A To submit questions/summaries to this list send your email message to: N A To unsubscribe from this list please send an email message to: G E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I S T

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:23 CDT