Notes on the compatibility of crypted passwords on various Unixes

April 2, 2010

For some time, lots of Unix systems have supported better password encryption schemes than the basic old crypt(3) salted-mutant-DES approach that's been used by Unix since V7. This is a good thing in general, but if you have a heterogenous Unix environment with shared passwords it creates a very important question: what password encryption schemes are supported on all of your Unixes, and are thus safe to use?

(Encrypting passwords with an alternate scheme not supported on a particular Unix version basically means that you can't use that Unix version. For a long time the only safe answer here was to use the original crypt(3) scheme, weaknesses and all; this still remains the most future-proof answer, since it's very unlikely that there will ever be a Unix that doesn't support them.)

In general, people have settled on a generic format for 'modular' encrypted passwords. They generally look like '$<alg>$<salt>$<rest>', where the <alg> is one or more characters to specify the algorithm, the <salt> is some number of characters of per-password salt, and the <rest> is the encryption result. This is about all that's settled; different Unixes differ in what algorithms are supported (and how they're designated) and how long the salt can be, and some algorithms change the interpretation of the fields.

Based on reading manpages and Wikipedia (and not on actual experimentation), the rough state of affairs is:

  • MacOS X supports only traditional crypt(3) passwords and a special 'DES extended format' that isn't widely supported.

  • Linux supports MD5 and sometimes '2a' Blowfish, SHA-256, and SHA-512 and allows up to 16 characters of salt.

  • FreeBSD supports MD5 and '2' Blowfish and only allows 8 characters of salt, assuming that the manpage is not lying about that.

  • NetBSD and OpenBSD support MD5 and '2a' Blowfish, with no stated salt size limits for MD5 (their Blowfish is explicitly stated as using a 128 bit salt).

  • Solaris 10 supports MD5, '2a' Blowfish, SHA-256, and SHA-512 with no stated limit on salt size.

  • AIX supports having additional algorithms, but I couldn't find documentation on what additional methods are actually supplied.

(I have skipped algorithms only supported on one Unix. There appear to be two versions of the Blowfish scheme, one known as '2' and one known as '2a'.)

Assuming that you don't care about MacOS X and perhaps AIX, MD5 appears to be your only safe bet if you trust everyone to have implemented it the same (and you can somehow avoid the salt length problem). Hopefully they have; that everyone uses the same format for modular encrypted passwords (and the same characters for various algorithms) is at least a good omen.

Sadly, my overall conclusion from this is that old-fashioned crypt(3) passwords are still the safest choice. Enabling anything else would require careful experimentation to make sure that everything actually did do, say, 'MD5' encrypted passwords the same and there were not peculiar limits that were going to be an issue.

(I'm vaguely disappointed by this, as I was hoping to find that by now it was safe to use something better than plain old crypt(3). I guess our systems need to stay old-fashioned for a while longer.)

Written on 02 April 2010.
« Looking back at a year of our disk-based backup system
A DVCS advantage for open source development »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Apr 2 03:17:19 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.