Storing passwords in plain text is generally a bad idea. Usually you want to store a password hash of the password. This generates an encrypted version of the password using the password as the key to decrypt it. There are a number of options available to generate such a password hash. Keep in mind that the password hash generated will be different each time by design. There is a salt value added to the password hash to cause this.
Many programs for Unix-related operating systems will use
crypt format to have compatible password hashes. Sadly, not all password hashing algorithms are created equal. For new deployments, it is recommended you use the more secure modern password hashing algorithms such as bcrypt, scrypt, yescrypt, argon2.
crypt hashes will start with a prefix for identifying the hashing algorithm:
$2is bcrypt. Default password hash algorithm used in OpenBSD.
$yis yescrypt. Default password hash algorithm used in modern Linux distributions.
$6is sha512. Previous default algorithm used in Linux. Old recommended algorithm.
$5is sha256. Less secure version of sha algorithm. Not recommended.
$1is md5. Older algorithm with known collision vulnerability. DO NOT USE.
The below methods will all generate
crypt formatted hashes.
Openbsd encrypt command
From the command line, you can run this command which will prompt you for a password and print out the encoded password hash. You wont see the string you enter. This example produces a hash using 'password' as the string using the
# encrypt -p Enter string: $2b$10$DT6b98JrMesHZNCUsrKk4.seLEYbAz2loLlY6WmyHJuRATBPLnhve
pmWiki has a built in password hash generator. You can use the following link to generate a password using the
The output will look something like this.
Linux mkpasswd (Yescrypt, scrypt, bcrypt, sha-512, sha-256, md5)
mkpasswd is a program available in Debian Linux package whois (apt install whois) and in Redhat Linux package expect (yum install expect)
mkpasswd --method=Yescrypt --stdin Password: password $y$j9T$1aQ4jjXy.VEabp30Nv9vW.$SbKbB0MVmtALi2eC1/JFPKOQpyWoAh.7yUPcBSTiqLB
The full list of available methods in your distro can be found with this command:
perl crypt() (md5, sha256, sha512)
This method doesn't seem to support the modern crypt algorithms. This example generates an sha-512 hash as specified by the $6 prefix in the salt value. Replace it with the other crypt prefixes from above for other supported hashes.
# perl -e 'print crypt("password", "\$6\$salt\$"),"\n"' $6$salt$IxDD3jeSOb5eB1CX5LBsqZFVkJdido3OUILO5Ifz5iwMuTS4XMS130MTSuDDl3aCI6WouIL9AjRbLCelDCy.g.
Openssl (md5, sha256, sha512)
This method doesn't support the modern crypt algorithms either. This example generates an sha-512 hash as specified by the -6. Use openssl passwd -help for list of supported algorithms.
# openssl passwd -6 -salt xyz password $6$xyz$ShNnbwk5fmsyVIlzOf8zEg4YdEH2aWRSuY4rJHbzLZRlWcoXbxxoI0hfn0mdXiJCdBJ/lTpKjk.vu5NZOv0UM0
Note: passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512