Hash Type in Linux Password

August 31, 2017

Filed under: Blog - Ankan Basu @ 9:19 pm

A reference table when you review /etc/shadow file:

$1$

md5

$2a$

Blowfish

$2y$

Blowfish, with correct handling of 8 bit characters

$5$

sha256

$6$

sha512

Just stick to sha512 please!

You can change the hash setting by the file: /etc/login.defs and then changing “ENCRYPT_METHOD SHA512” line.

You can also user the authconfig command to accomplish the same thing:

sudo authconfig –passalgo=sha512 –update

After implementing a strong hash setting we must also make users change/update their password in the next login using the following command:

sudo chage -d 0 username

we can also use:

sudo passwd –expire username

for more info:

https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

We can update default password policy in Linux as well:

vi /etc/security/pwquality.conf

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#

1,340 total views, 2 views today