In Linux, all password hashes are normally stored using the MD5 hashing algorithm in the /etc/shadow file, but MD5 is algorithmically weak due to collision vulnerabilities. The new recommended standard are the higher level SHA-2 hashing algorithms, SHA256 or SHA512. As a friend pointed out to me, Ubuntu is currently the only distro implementing SHA-2 as the default. With SHA-2, your passwords take an unreasonably larger amount of time to calculate. This will greatly decrease how many passwords a person can brute-force.
So in this Null Byte, we're going to beef up the security in the way Linux hashes passwords to increase the security of our system.
Step 1 Edit the /etc/pam.d/passwd File
Bold text = commands entered in a terminal emulator.
First, we are going to need to modify the password hashing function, so when a password is entered, it runs it through our new algorithm. Lets open /etc/pam.d/passwd in our favorite text editor. I like nano:
sudo nano /etc/pam.d/passwd
You should get text that looks like this:
We need to change the bottom line. Change md5 to sha512:
As you can see in mine, I have the rounds option enabled. This is how many times it's hashed, so for every round an attacker would need to computer another hash. I set mine at 65,536 for ridiculous security. After that is done, hit ctrl+x and y to save it.
Step 2 Change Your /etc/default/passwd
Let's modify our default /etc/default/passwd file now, so our computer knows to use this algorithm when creating or modifying passwords.
sudo nano /etc/default/passwd
Change the seventh line from des:
Onto our next mission!
Step 3 Edit Your /etc/login.defs
According to the passwd manual page, this file has to be edited when the /etc/shadow mechanism is used for storing passwords:
sudo nano /etc/login.defs
Add the following line to /etc/login.defs:
Step 4 Rehash Your Passwords
We have to reset our passwords with the passwd command, so that they're stored in /etc/shadow with our new hash:
Then change the users passwords who exists:
Want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals.
Other worthwhile deals to check out: