Ubuntu - Passwords - Password Schemes

Password scheme means the format in which the password is stored in password databases.

The main reason for choosing a scheme other than PLAIN is to prevent someone with access to the password database (such as a hacker) from stealing users' passwords and using them to access other services.

You should choose the strongest crypt scheme that's supported by your system. From strongest to weakest:

• BLF-CRYPT: This is the Blowfish crypt (bcrypt) scheme. It is generally considered to be very secure. The encrypted password will start with $2a$ (Note: bcrypt is not available on most Linux distributions)

• SHA512-CRYPT: A strong scheme. The encrypted password will start with $6$

• SHA256-CRYPT: A strong scheme. The encrypted password will start with $5$

• MD5-CRYPT: A weak but common scheme often used in /etc/shadow. The encrypted password will start with $1$

Note that the above schemes are implemented by the libc's crypt() function. Using them is especially useful when sharing the same passwords with other software, because most of them support using crypt() to verify the password. However, not all libcs (especially older ones) implement all of the above schemes.

Other password schemes that are not in libc.

• LANMAN: DES-based encryption. Used sometimes with NTLM mechanism.

• NTLM: MD4 sum of the password stored in hex. Used with NTLM mechanism.

• RPA: Used with RPA mechanism.

• CRAM-MD5: Used with CRAM-MD5 mechanism.

• DIGEST-MD5: Used with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.

• SCRAM-SHA-1: Used with SCRAM-SHA-1 mechanism. (v2.2+)

• CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. “pass” = vpvKh.SaNbR6s)

• PLAIN: Password is in plaintext.

• PLAIN-MD5: MD5 sum of the password stored in hex.

• LDAP-MD5: MD5 sum of the password stored in base64.

• SMD5: Salted MD5 sum of the password stored in base64.

• SHA: SHA1 sum of the password stored in base64.

• SSHA: Salted SHA1 sum of the password stored in base64.

• SHA256: SHA256 sum of the password stored in base64. (v1.1 and later).

• SSHA256: Salted SHA256 sum of the password stored in base64. (v1.2 and later).

• SHA512: SHA512 sum of the password stored in base64. (v2.0 and later).

• SSHA512: Salted SHA512 sum of the password stored in base64. (v2.0 and later).

The base64 vs. hex encoding that is mentioned above is simply the default encoding that is used. You can override it for any scheme by adding a “.hex”, “.b64” or “.base64” suffix. For example:

• {SSHA.b64}986H5cS9JcDYQeJd6wKaITMho4M9CrXM contains the password encoded to base64 (just like {SSHA})

• {SSHA.HEX}3f5ca6203f8cdaa44d9160575c1ee1d77abcf59ca5f852d1 contains the password encoded to hex

This can be especially useful with plaintext passwords to encode characters that would otherwise be illegal. For example in passwd-file you couldn't use a “:” character in the password without encoding it to base64 or hex. For example: {PLAIN}{\}:!“ is the same as {PLAIN.b64}e1x9OiEiCg==.

For the SHA512-CRYPT, SHA256-CRYPT and MD5-CRYPT schemes, the salt is stored before the hash, e.g.: $6$salt$hash. For the BLF-CRYPT scheme, bcrypt stores the salt as part of the hash.

For most of the other salted password schemes (SMD5, SSHA*) the salt is stored after the password hash and its length can vary. When hashing the password, append the salt after the plaintext password, e.g.: SSHA256(pass, salt) = SHA256(pass + salt) + salt.

For example with SSHA256 you know that the hash itself is 32 bytes (256 bits/8 bits per byte). Everything after that 32 bytes is the salt. For example if you have a password:

{SSHA256}SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv

After base64 decoding it you'll see that its length is 36 bytes, so the first 32 bytes are the hash and the following 4 bytes are the salt:

• length: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|wc -c → 36

• hash: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 count=32|hexdump -C → 4a 84 7f ef c4 f9 ab 45 0f 16 78 3c 50 25 d6 43 13 94 2a 1c eb 25 99 70 7c db 65 94 0b a9 01 e5

• salt: echo SoR/78T5q0UPFng8UCXWQxOUKhzrJZlwfNtllAupAeUT+kQv|base64 -d|dd bs=1 skip=32|hexdump -C → 13 fa 44 2f

Other common hash sizes are:

• MD5: 16 bytes
• SHA: 20 bytes
• SHA256: 32 bytes
• SHA512: 64 bytes