Notes on the compatibility of crypted passwords on various Unixes
For some time, lots of Unix systems have supported better password
encryption schemes than the basic old
approach that's been used by Unix since V7. This is a good thing in
general, but if you have a heterogenous Unix environment with shared
passwords it creates a very important question: what password encryption
schemes are supported on all of your Unixes, and are thus safe to use?
(Encrypting passwords with an alternate scheme not supported on a
particular Unix version basically means that you can't use that Unix
version. For a long time the only safe answer here was to use the
crypt(3) scheme, weaknesses and all; this still remains the
most future-proof answer, since it's very unlikely that there will ever
be a Unix that doesn't support them.)
In general, people have settled on a generic format for 'modular'
encrypted passwords. They generally look like '
where the <alg> is one or more characters to specify the algorithm,
the <salt> is some number of characters of per-password salt, and the
<rest> is the encryption result. This is about all that's settled;
different Unixes differ in what algorithms are supported (and how
they're designated) and how long the salt can be, and some algorithms
change the interpretation of the fields.
Based on reading manpages and Wikipedia (and not on actual experimentation), the rough state of affairs is:
- MacOS X supports only traditional
crypt(3)passwords and a special 'DES extended format' that isn't widely supported.
- Linux supports MD5 and sometimes '2a' Blowfish, SHA-256, and SHA-512
and allows up to 16 characters of salt.
- FreeBSD supports MD5 and '2' Blowfish and only allows 8 characters of
salt, assuming that the manpage is not lying about that.
- NetBSD and OpenBSD support MD5 and '2a' Blowfish, with no stated salt
size limits for MD5 (their Blowfish is explicitly stated as using a
128 bit salt).
- Solaris 10 supports MD5, '2a' Blowfish, SHA-256, and SHA-512 with no
stated limit on salt size.
- AIX supports having additional algorithms, but I couldn't find documentation on what additional methods are actually supplied.
(I have skipped algorithms only supported on one Unix. There appear to be two versions of the Blowfish scheme, one known as '2' and one known as '2a'.)
Assuming that you don't care about MacOS X and perhaps AIX, MD5 appears to be your only safe bet if you trust everyone to have implemented it the same (and you can somehow avoid the salt length problem). Hopefully they have; that everyone uses the same format for modular encrypted passwords (and the same characters for various algorithms) is at least a good omen.
Sadly, my overall conclusion from this is that old-fashioned
passwords are still the safest choice. Enabling anything else would
require careful experimentation to make sure that everything actually
did do, say, 'MD5' encrypted passwords the same and there were not
peculiar limits that were going to be an issue.
(I'm vaguely disappointed by this, as I was hoping to find that by now
it was safe to use something better than plain old
crypt(3). I guess
our systems need to stay old-fashioned for a while longer.)
Comments on this page:Written on 02 April 2010.