Re: Password encoding

From: Erick Mechler (emechler@techometer.net)
Date: 09/26/02


Date: Wed, 25 Sep 2002 15:26:45 -0700
From: Erick Mechler <emechler@techometer.net>
To: Nomad <mailman@crypton.pl>


:: So I made small investigation. And what I found: new auth_default value
:: in my system is DES !!! And my password on new accounts are only 8
:: characters long !!!

You're going to want to do 2 things. First, make sure that you have your
passwd_format=md5 in your /etc/login.conf (be sure to run cap_mkdb
/etc/login.conf after you do so).

Currently there's a bug with /usr/sbin/adduser which results in changed
passwords defaulting to DES, despite whatever the system default password
scheme is. /usr/sbin/pw and /usr/bin/passwd do not suffer from this
problem.

Bottom line: don't use adduser to set your passwords upon account creation,
use the passwd utility or pw. This will insure that all your system
passwords are created and stay MD5.

Cheers - Erick

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Crypto default after "make world"
    ... I have FreeBSD 4.4, ... Investigation has shown, that passwords in DES do not work, moreover, all new passwords are created in shadow.passwd in format MD5. ...
    (FreeBSD-Security)
  • Re: A New Threat for password hacking
    ... Passwords in RACF db are stored using DES, ... as a hash. ... I used SHA1 for my example since it's the one with the smallest bit ...
    (bit.listserv.ibm-main)
  • Re: Current thoughts on system partitioning
    ... >> Just to use my specific example, I've built a server with two 160 GB ... > In my experience, SuSE by default installs DES encryption for passwords, ...
    (comp.os.linux.misc)
  • Re: md5?
    ... So how does one make adduser generate a MD5 password ... still generates DES. ... > passwords, but whether or not you do you still get ...
    (FreeBSD-Security)
  • Re: Why is AES more secure than DES??
    ... AES is much faster, but why is AES more secure than DES?? ... The cracking method is "guess all possible password" ... With AES, the number of all possible passwords is 2^128, because it has a ...
    (sci.crypt)