By default, FreeBSD uses MD5 hashes for its encrypted passwords for users (SHA512 for FreeBSD 9.1+). However, blowfish is available in all recent versions of FreeBSD and it’s really easy to change the default…
edit the file /etc/login.conf and change the following line:
:passwd_format=md5:\
To read the following:
:passwd_format=blf:\
Then rebuild the login database with the following command:
cap_mkdb /etc/login.conf
Now all passwords you change or set when adding a user will be encrypted using blowfish. You can change your current password with passwd and when changed, your password will be blowfish encrypted.
If your system uses MD5, it’s preferrable to change over to Blowfish as it’s more secure… However, if your system supports SHA512 you should prefer this (passwd_format=sha512) – except for very few situations. (SHA512 is supported in FreeBSD 9.1+ only)
DirectAdmin requires the system to use md5 not blowfish or sha512, otherwise you will never be able to login to your DA web console.
Note that MD5 in this context is not simply an MD5 hash of the password and salt, it’s a 1000 iterations with the salt, password and previous hash value hashed together in varying orders. It’s not clear that blowfish is any more secure. Even a basic MD5 hash implementation still has no practical break because this application is extremely forgiving of hash vulnerabilities.
Note also that in many cases this encryption provides no significant security anyway. In order to perform an attack on hashed passwords you have to have previously had root or equivalent physical access. It’s mostly just a way of getting user passwords in case they are used elsewhere, or reused on the same machine -the original access is the more significant problem.
it also refers to the time taken to brute force the password. the number of passwords per second you can do against blowfish hashes are much less than md5. Also, blowfish allows you to use up to a 32 character password, whereas MD5 only allows 16 character passwords. The latter is the main reason I use blowfish hashes under FreeBSD.
Is it possible to change from md5 to sha512 hash in FreeBSD?
The only values supported are ‘des’ ‘md5’ and ‘blf’ – sha512 isn’t supported for password hashes.
The FreeBSD handbook states that sha512 is supported (now) see:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html
Nice blog!
FreeBSD has switched to sha512 as the default (in /etc/login.conf) in FreeBSD 9.1
that’s correct – but 9.1 isn’t released just yet (soon though!)
A lot of people wont upgrade to 9.1 for a long time, so they can use the blowfish hashes in the meantime.
sha256/sha512 hashes might work depending on the age of the OS installed too.
On a FreeBSD 9.1 system is SHA512 better than Blowfish?
It is a better password hashing algorithm, yes.
However, note.. if you use DirectAdmin on your FreeBSD 9.1 servers, you need to change the hashing back to MD5 as DA doesn’t support Blowfish or SHA512 algorithms.
Thanks Dan. I don’t use DirectAdmin so its all good. I noticed SHA512 was the default with a fresh install of 9.1.
That’s right – i’ve updated the article with some extra info about that too.
NIce one…good job!
Usage of MD5 should be recognized as crime against humanity 😀
Just a note, I’ve used Blowfish in my password file on my DirectAdmin server since 2003, without issue. Not sure what issue you were having.
You should not be able to login to the DA control panel if your login has blowfish or SHA256/512 hashing. The DA binary doesn’t support checking hashes against them (it’s well documented and affects both linux and freebsd DA installs)