Hash Type in Linux Password

A reference table when you review /etc/shadow file:
$1$
md5
$2a$
Blowfish
$2y$
Blowfish, with correct handling of 8 bit characters
$5$
sha256
$6$
sha512

 

Just stick to sha512 please!

You can change the hash setting by the file: /etc/login.defs and then changing “ENCRYPT_METHOD SHA512” line.

You can also user the authconfig command to accomplish the same thing:

sudo authconfig –passalgo=sha512 –update

After implementing a strong hash setting we must also make users change/update their password in the next login using the following command:

sudo chage -d 0 username

we can also use:

sudo passwd –expire username

for more info:

https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

 

We can update default password policy in Linux as well:

vi /etc/security/pwquality.conf

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#

 

 825 total views,  2 views today

about author

Ankan Basu

ankanbasu@ankanbasu.com

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.