Wonder How ToGadget HacksNext RealityNull Byte
how to

How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

Oct 21, 2011 04:33 PM

In Linux, all password hashes are normally stored using the MD5 hashing algorithm in the /etc/shadow file, but MD5 is algorithmically weak due to collision vulnerabilities. The new recommended standard are the higher level SHA-2 hashing algorithms, SHA256 or SHA512. As a friend pointed out to me, Ubuntu is currently the only distro implementing SHA-2 as the default. With SHA-2, your passwords take an unreasonably larger amount of time to calculate. This will greatly decrease how many passwords a person can brute-force.

So in this Null Byte, we're going to beef up the security in the way Linux hashes passwords to increase the security of our system.

Edit the /etc/pam.d/passwd File

Bold text = commands entered in a terminal emulator.

First, we are going to need to modify the password hashing function, so when a password is entered, it runs it through our new algorithm. Lets open /etc/pam.d/passwd in our favorite text editor. I like nano:

sudo nano /etc/pam.d/passwd

You should get text that looks like this:

We need to change the bottom line. Change md5 to sha512:

As you can see in mine, I have the rounds option enabled. This is how many times it's hashed, so for every round an attacker would need to computer another hash. I set mine at 65,536 for ridiculous security. After that is done, hit ctrl+x and y to save it.

Change Your /etc/default/passwd

Let's modify our default /etc/default/passwd file now, so our computer knows to use this algorithm when creating or modifying passwords.

sudo nano /etc/default/passwd

Change the seventh line from des:

To sha512:

Onto our next mission!

Edit Your /etc/login.defs

According to the passwd manual page, this file has to be edited when the /etc/shadow mechanism is used for storing passwords:

sudo nano /etc/login.defs

Add the following line to /etc/login.defs:

ENCRYPT_METHOD SHA512

Rehash Your Passwords

We have to reset our passwords with the passwd command, so that they're stored in /etc/shadow with our new hash:

    su root

Then change the users passwords who exists:

passwd <username>

You should now have incredibly strong passwords for your Linux box! Feel free to drop a line to me in IRC or start some discussions in the Null Byte Forums.

Photo by Ev0luti0nary 

Just updated your iPhone? You'll find new Apple Intelligence capabilities, sudoku puzzles, Camera Control enhancements, volume control limits, layered Voice Memo recordings, and other useful features. Find out what's new and changed on your iPhone with the iOS 18.2 update.

Related Articles

Article cover image
how-to

How to Get Unlimited Free Trials Using a "Real" Fake Credit Card Number

Article cover image
Forum Thread

How to Hack an Android Device Remotely, to Gain Acces to Gmail, Facebook, Twitter and More

Comments

No Comments Exist

Be the first, drop a comment!