Hashes
Storing passwords in plain text is generally a bad idea. Usually you want to store a password hash of the password. This generates an encrypted version of the password using the password as the key to decrypt it. There are a number of options available to generate such a password hash. Keep in mind that the password hash generated will be different each time by design. There is a salt value added to the password hash to cause this.
crypt format
Many programs for Unix-related operating systems will use crypt
format to have compatible password hashes. Sadly, not all password hashing algorithms are created equal. For new deployments, it is recommended you use the more secure modern password hashing algorithms such as bcrypt, scrypt, yescrypt, argon2.
crypt
hashes will start with a prefix for identifying the hashing algorithm:
-
$2
is bcrypt. Default password hash algorithm used in OpenBSD. -
$y
is yescrypt. Default password hash algorithm used in modern Linux distributions. -
$6
is sha512. Previous default algorithm used in Linux. Old recommended algorithm. -
$5
is sha256. Less secure version of sha algorithm. Not recommended. -
$1
is md5. Older algorithm with known collision vulnerability. DO NOT USE.
The below methods will all generate crypt
formatted hashes.
Openbsd encrypt command
From the command line, you can run this command which will prompt you for a password and print out the encoded password hash. You wont see the string you enter. This example produces a hash using 'password' as the string using the bcrypt
algorithm.
# encrypt -p
Enter string:
$2b$10$DT6b98JrMesHZNCUsrKk4.seLEYbAz2loLlY6WmyHJuRATBPLnhve
pmWiki ?action=crypt
pmWiki has a built in password hash generator. You can use the following link to generate a password using the bcrypt
algorithm.
https://wiki.ircnow.org/index.php?action=crypt
The output will look something like this.
Attach:pmwiki_action_crypt.png
Linux mkpasswd (Yescrypt, scrypt, bcrypt, sha-512, sha-256, md5)
mkpasswd is a program available in Debian Linux package whois (apt install whois) and in Redhat Linux package expect (yum install expect)
mkpasswd --method=Yescrypt --stdin
Password: password
$y$j9T$1aQ4jjXy.VEabp30Nv9vW.$SbKbB0MVmtALi2eC1/JFPKOQpyWoAh.7yUPcBSTiqLB
The full list of available methods in your distro can be found with this command:
mkpasswd --method=help
perl crypt() (md5, sha256, sha512)
This method doesn't seem to support the modern crypt algorithms. This example generates an sha-512 hash as specified by the $6 prefix in the salt value. Replace it with the other crypt prefixes from above for other supported hashes.
# perl -e 'print crypt("password", "\$6\$salt\$"),"\n"'
$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.
Openssl (md5, sha256, sha512)
This method doesn't support the modern crypt algorithms either. This example generates an sha-512 hash as specified by the -6. Use openssl passwd -help for list of supported algorithms.
# openssl passwd -6 -salt xyz password
$6$xyz$ShNnbwk5fmsyVIlzOf8zEg4YdEH2aWRSuY4rJHbzLZRlWcoXbxxoI0hfn0mdXiJCdBJ/lTpKjk.vu5NZOv0UM0
Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512