Password scheme means the format in which the password is stored in password databases. The main reason for choosing a scheme other than PLAIN is to prevent someone with access to the password database (such as a hacker) from stealing users' passwords and using them to access other services.

You should choose the strongest crypt scheme that's supported by your system. From strongest to weakest:

• BLF-CRYPT: This is the Blowfish crypt (bcrypt) scheme. It is generally considered to be very secure. The encrypted password will start with $2a$ (Note: bcrypt is not available on most Linux distributions)

• SHA512-CRYPT: A strong scheme. The encrypted password will start with $6$

• SHA256-CRYPT: A strong scheme. The encrypted password will start with $5$

• MD5-CRYPT: A weak but common scheme often used in /etc/shadow. The encrypted password will start with $1$

Note that the above schemes are implemented by the libc's crypt() function. Using them is especially useful when sharing the same passwords with other software, because most of them support using crypt() to verify the password. However, not all libcs (especially older ones) implement all of the above schemes.

Other password schemes that are not in libc.

• LANMAN: DES-based encryption. Used sometimes with NTLM mechanism.

• NTLM: MD4 sum of the password stored in hex. Used with NTLM mechanism.

• RPA: Used with RPA mechanism.

• CRAM-MD5: Used with CRAM-MD5 mechanism.

• DIGEST-MD5: Used with DIGEST-MD5 mechanism. The username is included in the hash, so it's not possible to use the hash for different usernames.

• SCRAM-SHA-1: Used with SCRAM-SHA-1 mechanism. (v2.2+)

• CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. “pass” = vpvKh.SaNbR6s)

• PLAIN: Password is in plaintext.