How To: Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

In Linux, all password hashes are normally stored using the MD5 hashing algorithm in the /etc/shadow file, but MD5 is algorithmically weak due to collision vulnerabilities. The new recommended standard are the higher level SHA-2 hashing algorithms, SHA256 or SHA512. As a friend pointed out to me, Ubuntu is currently the only distro implementing SHA-2 as the default. With SHA-2, your passwords take an unreasonably larger amount of time to calculate. This will greatly decrease how many passwords a person can brute-force.

So in this Null Byte, we're going to beef up the security in the way Linux hashes passwords to increase the security of our system.

Step 1 Edit the /etc/pam.d/passwd File

Bold text = commands entered in a terminal emulator.

First, we are going to need to modify the password hashing function, so when a password is entered, it runs it through our new algorithm. Lets open /etc/pam.d/passwd in our favorite text editor. I like nano:

    sudo nano /etc/pam.d/passwd

You should get text that looks like this:

How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

We need to change the bottom line. Change md5 to sha512:

How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

As you can see in mine, I have the rounds option enabled. This is how many times it's hashed, so for every round an attacker would need to computer another hash. I set mine at 65,536 for ridiculous security. After that is done, hit ctrl+x and y to save it.

Step 2 Change Your /etc/default/passwd

Let's modify our default /etc/default/passwd file now, so our computer knows to use this algorithm when creating or modifying passwords.

    sudo nano /etc/default/passwd

Change the seventh line from des:

How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

To sha512:

How to Make an Unbreakable Linux Password Using a SHA-2 Hash Algorithm

Onto our next mission!

Step 3 Edit Your /etc/login.defs

According to the passwd manual page, this file has to be edited when the /etc/shadow mechanism is used for storing passwords:

    sudo nano /etc/login.defs

Add the following line to /etc/login.defs:

    ENCRYPT_METHOD SHA512

Step 4 Rehash Your Passwords

We have to reset our passwords with the passwd command, so that they're stored in /etc/shadow with our new hash:

    su root

Then change the users passwords who exists:

    passwd <username>

You should now have incredibly strong passwords for your Linux box! Feel free to drop a line to me in IRC or start some discussions in the Null Byte Forums.

Want to start making money as a white hat hacker? Jump-start your white-hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy Now (90% off) >

Photo by Ev0luti0nary 

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

6 Comments

Ubuntu uses SHA-2 as default? What about offshoots of Ubuntu... such as mint?

Yes, Ubuntu uses SHA-2 by default.
AFAIK, no, Mint it doesn't. But I could be wrong.

Interesting. When I go to my parents house next I shall look into this.

Ok... In my passwd file it doesn't have what is in yours. Instead it has @common-passwords, so I went back to pam.d and opened common-passwords and found something that looked much more like yours. Also, while it says the default is to encrypt with unix crypt, the only line on the page I can find that looks like the one you edited, already has sha512 written in it. It's not commented out. Halp?

So, that means you are already using SHA512 :D

Thats what I thought. Yay :)

Share Your Thoughts

  • Hot
  • Latest