# Question about encryption and user passwords...

## Jesselnz

Right now, I have my /home partition encrypted with luks/aes, and I have to enter two passwords every time I boot (my encryption passphrase + my user password).  I'm thinking about making my user password the same as my passphrase, and using pam_mount to automatically mount /home upon login.  Would this setup introduce any security risks?  From what I understand, user passwords are encrypted with DES, which is weaker than AES.  My root partition isn't encrypted, so if a potential attacker is able to see how the system is set up, would this make a brute force attack easier?

----------

## rufnut

Hi 

You are on the right track,  I also believe login security is a little weak.

Did you know "pambase" has a "sha512" use flag?

 *Quote:*   

> sha512        : Switch Linux-PAM's pam_unix module to use sha512 for passwords hashes rather than MD5. This option requires >=sys-libs/pam-1.0.1 built against >=sys-libs/glibc-2.7, if it's built against an earlier version, it will silently be ignored, and MD5 hashes will be used. All the passwords changed after this USE flag is enabled will be saved to the shadow file hashed using SHA512 function. The password previously saved will be left untouched. Please note that while SHA512-hashed passwords will still be recognised if the USE flag is removed, the shadow file will not be compatible with systems using an earlier glibc version.
> 
> 

 

Maybe you could try that as I am sure it would be a lot more secure?

I have my whole system encrypted, so when I type the LUKS passphrase it automatically logs in as my chosen user.(mind you the passphrase and password are different.)

Depends on your needs and hardware.

 :Smile: 

----------

## Jesselnz

It looks like pambase is compiled with sha512 on by default, so I guess I'm already set.  I'm not very knowledgeable about cryptography, but is a brute force attack against an sha512 hash something that could conceivably be done?

----------

## Moji

My home luks partition has two passwords, the first is a 1MiB key stored on my root partition, the second is a password.

My root is encrypted with luks using a password.

Since I have to use a password to mount I have code in /etc/init/localmount to make sure home is mounted before the system needs it, then I auto-login my window manager.

I think its a fairly good system and prevents me from having to type in multiple passwords at boot.

-MJ

----------

## rufnut

 *Jesselnz wrote:*   

> It looks like pambase is compiled with sha512 on by default, so I guess I'm already set.

 

Cool , I didn't know either.

 *Jesselnz wrote:*   

>   I'm not very knowledgeable about cryptography, but is a brute force attack against an sha512 hash something that could conceivably be done?

 

I think we are safe after seeing the above.

Lets wait and see if someone in the thread can give us a reason not to be confident?

Oh, and my system is 99% encrypted , /boot is of course not.

 :Smile: 

----------

