- A reference table when you review /etc/shadow file:
- $1$
- md5
- $2a$
- Blowfish
- $2y$
- Blowfish, with correct handling of 8 bit characters
- $5$
- sha256
- $6$
- sha512
Just stick to sha512 please!
You can change the hash setting by the file: /etc/login.defs and then changing “ENCRYPT_METHOD SHA512” line.
You can also user the authconfig command to accomplish the same thing:
sudo authconfig –passalgo=sha512 –update
After implementing a strong hash setting we must also make users change/update their password in the next login using the following command:
sudo chage -d 0 username
we can also use:
sudo passwd –expire username
for more info:
https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
We can update default password policy in Linux as well:
vi /etc/security/pwquality.conf
# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#
1,411 total views, 1 views today