Security problem and a fix

Matthias Schmidt found a discussion about DragonFly’s password encryption.  The result, if I am reading it correctly, is that brute-forcing the password from available hashes is quicker than it should be.  Matthias also found a contributed fix.  Samuel Greear updated to match the reference SHA implementation also in Linux, with this very pertinent warning.

3 Replies to “Security problem and a fix”

  1. I wonder whether there is a reason for using SHA and MD5 for password hashing in DFlyBSD? Wouldn’t it be better to use some hashing scheme that was designed with that specific application in mind like bcrypt or PBKDF2? While I’m not an expert in these matters, I link to an article whose argumentation I found quite plausible:

  2. From
    (Works in DragonFly IIRC)

    To implement Blowfish hashes, edit /etc/login.conf and change the passwd_format line so that it looks like this:

    Save your change, then rebuild the login database with this command:

    cap_mkdb /etc/login.conf
    You’ll then have to change all of your user’s passwords so they will get a new Blowfish hash. You can do this by typing:

    passwd username
    as the superuser. Whatever username you use, that will be the user whose password will be updated. Repeat for all of your users, including the root account.

    Once you’re finished, double-check that it worked and you didn’t forget any users:

    more /etc/master.passwd
    All of the passwords for your users should begin with $2.

    Finally, configure the adduser utility to use Blowfish whenever you create a new user by editing /etc/auth.conf. Change the crypt_default line so that it looks like this:


Comments are closed.