Hashes

Storing passwords in plain text is generally a bad idea. Usually you want to store a password hash of the password. This generates an encrypted version of the password using the password as the key to decrypt it. There are a number of options available to generate such a password hash. Keep in mind that the password hash generated will be different each time by design. There is a salt value added to the password hash to cause this.

crypt format

Many programs for Unix-related operating systems will use crypt format to have compatible password hashes. Sadly, not all password hashing algorithms are created equal. For new deployments, it is recommended you use the more secure modern password hashing algorithms such as bcrypt, scrypt, yescrypt, argon2.

crypt hashes will start with a prefix for identifying the hashing algorithm:

  • $2 is bcrypt. Default password hash algorithm used in OpenBSD.
  • $y is yescrypt. Default password hash algorithm used in modern Linux distributions.
  • $6 is sha512. Previous default algorithm used in Linux. Old recommended algorithm.
  • $5 is sha256. Less secure version of sha algorithm. Not recommended.
  • $1 is md5. Older algorithm with known collision vulnerability. DO NOT USE.

The below methods will all generate crypt formatted hashes.

Openbsd encrypt command

From the command line, you can run this command which will prompt you for a password and print out the encoded password hash. You wont see the string you enter. This example produces a hash using 'password' as the string using the bcrypt algorithm.

# encrypt -p 
Enter string: 
$2b$10$DT6b98JrMesHZNCUsrKk4.seLEYbAz2loLlY6WmyHJuRATBPLnhve

pmWiki ?action=crypt

pmWiki has a built in password hash generator. You can use the following link to generate a password using the bcrypt algorithm.

https://wiki.ircnow.org/index.php?action=crypt

The output will look something like this.

Linux mkpasswd (Yescrypt, scrypt, bcrypt, sha-512, sha-256, md5)

mkpasswd is a program available in Debian Linux package whois (apt install whois) and in Redhat Linux package expect (yum install expect)

mkpasswd --method=Yescrypt --stdin
Password: password
$y$j9T$1aQ4jjXy.VEabp30Nv9vW.$SbKbB0MVmtALi2eC1/JFPKOQpyWoAh.7yUPcBSTiqLB

The full list of available methods in your distro can be found with this command:

mkpasswd --method=help 

perl crypt() (md5, sha256, sha512)

This method doesn't seem to support the modern crypt algorithms. This example generates an sha-512 hash as specified by the $6 prefix in the salt value. Replace it with the other crypt prefixes from above for other supported hashes.

# perl -e 'print crypt("password", "\$6\$salt\$"),"\n"'
$6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.

Openssl (md5, sha256, sha512)

This method doesn't support the modern crypt algorithms either. This example generates an sha-512 hash as specified by the -6. Use openssl passwd -help for list of supported algorithms.

# openssl passwd -6 -salt xyz  password
$6$xyz$ShNnbwk5fmsyVIlzOf8zEg4YdEH2aWRSuY4rJHbzLZRlWcoXbxxoI0hfn0mdXiJCdBJ/lTpKjk.vu5NZOv0UM0

Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512