Issue
Good night!
I'm using a chpasswd.cgi to change password via web, the problem is that when I change the password to 123456789 it won't work. I'm migrating a proxy server to a new one, and I have more than 2k of password.
I noticed that the crypt() limits the passwords to 8 digits, and i have some password that goes beyond that. I tried to look into /etc/pam.d/common-password but I think that has nothing to do with what I want.
Solution
If your script is inheriting a default hash type, changing ENCRYPT_METHOD
in /etc/login.defs
may do what you're looking for. Depending on what OS release track you're using, available hash types may include, the following (none are great options in modern times):
MD5
(actually md5crypt) - EOL'd by the authorSHA256
(actually sha256crypt) - work increases with length (bad)SHA512
(actually sha512crypt) - work increases with length (bad)DES
(actually descrypt) - truncates at 8 chars; only two-byte salt
But sha256crypt or sha512crypt are probably the "least bad".
For those two, you will also want to increase SHA_CRYPT_MIN_ROUNDS
and SHA_CRYPT_MAX_ROUNDS
in the next config section to be as high as your users can stand (usually around the 500ms mark is when they'll start to notice). Keeping those values as a range (instead of the same value) will cause each hash to get a different, randomly distributed work factor within that range. This is a desirable countermeasure against cracking tools that work best (or only work) when all work factors are the same (such as hashcat).
Answered By - Royce Williams Answer Checked By - Gilberto Lyons (WPSolving Admin)