SHA Passwords

From ArchWiki

Jump to: navigation, search
Image:Tango-document-new.png This article is a stub.
This typically means the article is a placeholder for more content to come. Knowledgeable users are encouraged to help expand the article.

Contents

Why Should You Use SHA-2?

In short, your passwords are less likely to be broken. I am no expert on the details, please

FIXME

Editing the Necessary Files

Editing /etc/pam.d/passwd

You must be root to edit this file. What you will probably see is something like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so md5 shadow nullok

A more detailed explanation of those options is available in the pam man pages, but what we are interested in is the option md5.

All you have to do is change md5 to sha256, or whatever SHA-2 encryption you want to use (sha256 is recommended).

After doing so, the file should look like this:

#%PAM-1.0
#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password	required	pam_unix.so md5 shadow use_authtok
password	required	pam_unix.so sha256 shadow nullok

Editing /etc/default/passwd

You will also need root access to edit this file. It most likely looks like this:

# This file contains some information for
# the passwd (1) command and other tools 
# creating or modifying passwords.

# Define default crypt hash
# CRYPT={des,md5,blowfish}
CRYPT=des

# Use another crypt hash for group passwowrds.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
CRYPT_FILES=blowfish
# sometimes we need to specify special options for
# a hash (variable is prepended by the name of the
# crypt hash).
BLOWFISH_CRYPT_FILES=5

# For NIS, we should always use DES:
CRYPT_YP=des

Once again, the change is very simple. Change

CRYPT=des

to

CRYPT=sha256

or whatever SHA-2 encryption you are using.

Final Steps

Even though you have changed the encryption, your passwords are not automatically rehashed!

To fix this, you must reset all user passwords so that they can be rehashed.

As root, the command

# passwd <username>

where <username> is the name of the user whose password you are changing, will allow you to do this. Simply re-enter their current password, and it will be rehashed to the more secure SHA-2 version!

To verify that your passwords have been rehashed, check the /etc/shadow file as root. Passwords hashed with sha256 should begin with a $5.

Personal tools