SHA hashes

From ArchWiki
(Redirected from SHA password hashes)

The Secure Hash Algorithms (SHA) are a set of hash functions, frequently used for a large variety of purposes.

Some examples of usage of the SHA hash functions in Arch Linux are:

SHA password hashes

By default Arch Linux used SHA-512 for passwords with package shadow releases from 4.1.4.3-3 (see bug 13591) to 4.14.0 (see yescrypt ). It replaced the older MD5 hash function, which has been found compromised by collision vulnerabilities. See wikipedia:Secure Hash Algorithms#Comparison of SHA functions for more information.

Configuration

The SHA-512 password hashing can be configured with the rounds=N option to improve key strengthening. For example, rounds=65536 means that an attacker has to compute 65536 hashes for each password they test against the hash in the /etc/shadow password file.

Therefore the attacker will be delayed by a factor of 65536. This also means that your computer must compute 65536 hashes every time you log in, but even on slow computers that takes less than one second.

Since pam release 1.6.0 the SHA-512 rounds option can be configured by either editing the /etc/login.defs file and setting an value for the SHA_CRYPT_MAX_ROUNDS parameter, or editing /etc/pam.d/passwd and adding the rounds with an appropriate value.[1]

If you do not use the rounds option, PAM will use a default different to the commented 5000 default in /etc/login.defs.

For example:

/etc/pam.d/passwd
password	required	pam_unix.so sha512 shadow nullok rounds=65536
Warning: Explicitly configuring a hash like sha512 in above example overrides the default yescrypt hash for subsequent passwd invocations.

For a more detailed explanation of the /etc/pam.d/passwd password options check the pam_unix(8) man page.

Usage

Even though you have changed the encryption settings, your passwords are not automatically re-hashed. To fix this, you must reset all user passwords so that they can be re-hashed.

As root issue the following command,

# passwd username

where username is the name of the user whose password you are changing. Then re-enter their current password, and it will be re-hashed.

To verify that your passwords have been re-hashed, check the /etc/shadow file as root. Passwords hashed with SHA-256 begin with a $5, passwords hashed with SHA-512 will begin with $6 and yescrypt hashes with $y.