When a user logs in to a UNIX computer, the login interface challenges the user to provide a user name and a password to obtain access to the execution environment provided by the computer. Typically password information is stored in an /etc/passwd file and in an /etc/shadow file. The /etc/passwd file typically grants general read permission (any user can read) but restricts write permission to superusers or root users. The /etc/shadow file, by contrast, typically restricts access permissions to superusers or root users only. The /etc/passwd file comprises an entry for each user name that associates the user name to a group identity, a home directory, and a command shell. The /etc/passwd file entry for the user name may also identify the user's password in clear text, but this is considered an unsecure practice, and it is now considered best practice to indicate in the /etc/passwd file entry only that the password is encrypted. The encrypted password is then stored in an entry indexed by the user name in the /etc/shadow file. The encrypted password indicates the hashing function used to encrypt the password. The entry in the /etc/shadow file also indicates a date the password was created.
When a user attempts to log in on a UNIX computer, typically a login daemon process challenges the user to input his or her user name and password in clear text. The login daemon maps the user name to the /etc/password entry associated with that user and may determine that the password is encrypted. The login daemon then maps the user name to the /etc/shadow entry associated with that user and looks up the encrypted password. The login daemon determines from the encrypted password what hashing function was used to encrypt the password, uses that hashing function to encrypt the input password, and compares the now encrypted input password to the encrypted password read from the /etc/shadow entry associated with the user. If the two values match, the user is granted access to the UNIX computer. It is understood that the access that is granted may be restricted in various ways based on the privileges and identities attached to that user identity. That is, the user may be able to read and write some files, read but not write other files, and neither write nor read yet other files.
When a user changes his or her password, the UNIX computer may first check that the proposed new password satisfies password complexity requirements. It may be desirable for passwords to be sufficiently complex to make guessing the password computationally difficult, whereby to mitigate the risk of an unauthorized user gaining access to the computer by spoofing an authorized user and guessing that user's password. Such password complexity requirements may specify one or more of a minimum password length, a minimum number of non-alphabetic characters, a minimum number of digits, and/or a minimum number of capital letters. Password complexity requirements may further exclude passwords that are enumerated in a dictionary of common passwords.
When the user changes his or her password and the proposed new password satisfies any password complexity requirements enforced on the UNIX computer, the password may be encrypted and written into the entry associated with the user in the /etc/shadow file and the indication of when the password was last changed is updated. It will be appreciated that there are a plurality of variants of UNIX computer systems in use around the world and that the password framework of any given UNIX computer system may vary somewhat from the general description above.