Question: I have read that dual-booted Windows and Linux operating systems can make all Linux partitions accessible through the Windows side, and that people could steal the password files from the Linux side this way. Is this true? How could I avoid it?

————–

The short answer: It is true, but it is not easy.

To actually search your Linux partitions from the Windows side, they would have to add a little application on the windows side that let them access the Linux native EXT2 and EXT2 partition formats. Windows will not recognize the Linux-formatted drives, and so the more likely scenario (if somebody is attacking your computer) is that they will reformat your Linux drives while attempting to hack them.

The good news: the data is still “safe.”

The bad news: now you can’t look at the Linux side either, and it is not easily recovered.

Quick solution: don’t leave your computer in a vulnerable spot. Only let people you trust have “alone time” with your computer. Lock your screen if you must be away from your computer. Set a random password of 6 characters or more that is not a dictionary word or a permutation of a dictionary word. “Rp%9@+qa” is a strong password that couldn’t be guessed or cracked easily. Change your passwords every month, to limit the value for a hacker of spending months or years cracking your password. Windows or Linux (or UNIX or any other operating system I can think of) is vulnerable to physical attack.

—————

The long answer: A properly educated person with enough time can break into your drives.

You still have to maintain physical security around your computer. Lock your screensaver or log out if you must be away from the computer. If the person has time enough to access your Linux files through Windows then they really don’t need to steal the passwords, do they? They just need to attach some of the files to an email and waltz out. They could also save them to a burnable CDR or a USB flash drive. No need to do the hard work of cracking a password.

Anybody with a Knoppix disk can access and muck with your Linux or FAT-formatted Windows files as a superuser. If you are concerned about physical access to your machine, remember to use as strong a password for the administrator account as possible, and rename the administrator account when that is possible. Set your screensavers to require password, and avoid the temptation to let Windows boot to an open user account (even an account of minimal permissions).

If they want to continue accessing your computer, they might want to steal the passwords, too. Brute-force cracking can take a long time, but the first thing an attacker is going to do is a dictionary attack on your passwords, and there are not that many words in the English language to go through. A password made of “real words” is real easy to crack. This goes for all of your passwords, not just specifically Windows ones.

There are 256 possible characters in the ASCII chart, including all numbers, letters, accented characters and punctuation. The longer and more random your password, the better. to crack a 2-character password requires the cracker to try 256×256 possible combinations (65,536). If each character = 1 byte and a byte is 8 bits, then this is about 16,384 cycles of a 32bit cpu. Clock-speed of a cpu is how many cycles per second. An average Pentium III running at 500mHz should crack your 2-char word in 0.000032768 of a second. a little slower than 300 thousandths of a second.
An 8-character password has 256^8 possible combinations (18,446,744,073,709,551,616), this would take about 29 years to crack on my slow processor here, and a 9-char password…
(4,722,366,482,869,645,213,696). A 9-char word would take 236,118,241,434.83 seconds to crack. Rounded, this is approximately 7482.14 years.

It is worth your effort to use passwords of at least 8 characters, and to have to type it in to log in or to unlock the screensaver. The “functionally honest” person might look to see if they could borrow time on your machine to look at the internet, but a password will stop these people cold - effectively keeping them honest. If somebody is willing to actually steal your computer and take it somewhere else, they can get into any data they want. Even encrypted files can be read, given enough time.

Posted on September 28