How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm
In Linux, all password hashes are normally stored using the MD5 hashing algorithm in the /etc/shadow file, but MD5 is algorithmically weak due to collision vulnerabilities. The new recommended standard are the higher level SHA-2 hashing algorithms, SHA256 or SHA512. As a friend pointed out to me, Ubuntu is currently the only distro implementing SHA-2 as the default. With SHA-2, your passwords take an unreasonably larger amount of time to calculate. This will greatly decrease how many passwords a person can brute-force.
So in this Null Byte, we're going to beef up the security in the way Linux hashes passwords to increase the security of our system.
Step 1 Edit the /etc/pam.d/passwd File
Bold text = commands entered in a terminal emulator.
First, we are going to need to modify the password hashing function, so when a password is entered, it runs it through our new algorithm. Lets open /etc/pam.d/passwd in our favorite text editor. I like nano:
sudo nano /etc/pam.d/passwd
You should get text that looks like this:
We need to change the bottom line. Change md5 to sha512:
As you can see in mine, I have the rounds option enabled. This is how many times it's hashed, so for every round an attacker would need to computer another hash. I set mine at 65,536 for ridiculous security. After that is done, hit ctrl+x and y to save it.
Step 2 Change Your /etc/default/passwd
Let's modify our default /etc/default/passwd file now, so our computer knows to use this algorithm when creating or modifying passwords.
sudo nano /etc/default/passwd
Change the seventh line from des:
Onto our next mission!
Step 3 Edit Your /etc/login.defs
According to the passwd manual page, this file has to be edited when the /etc/shadow mechanism is used for storing passwords:
sudo nano /etc/login.defs
Add the following line to /etc/login.defs:
Step 4 Rehash Your Passwords
We have to reset our passwords with the passwd command, so that they're stored in /etc/shadow with our new hash:
Then change the users passwords who exists: