== Notes on the compatibility of crypted passwords on various Unixes

For some time, lots of Unix systems have supported better password
encryption schemes than the basic old _crypt(3)_ salted-mutant-DES
approach that's been used by Unix since V7. This is a good thing in
general, but if you have a heterogenous Unix environment with shared
passwords it creates a very important question: what password encryption
schemes are supported on *all* of your Unixes, and are thus safe to use?

(Encrypting passwords with an alternate scheme not supported on a
particular Unix version basically means that you can't use that Unix
version. For a long time the only safe answer here was to use the
original _crypt(3)_ scheme, weaknesses and all; this still remains the
most future-proof answer, since it's very unlikely that there will ever
be a Unix that doesn't support them.)

In general, people have settled on a generic format for 'modular'
encrypted passwords. They generally look like '_$<alg>$<salt>$<rest>_',
where the <alg> is one or more characters to specify the algorithm,
the <salt> is some number of characters of per-password salt, and the
<rest> is the encryption result. This is about all that's settled;
different Unixes differ in what algorithms are supported (and how
they're designated) and how long the salt can be, and some algorithms
change the interpretation of the fields.

Based on reading manpages and [[Wikipedia
http://en.wikipedia.org/wiki/Crypt_(Unix)]] (and not on actual
experimentation), the rough state of affairs is:

* MacOS X supports only traditional _crypt(3)_ passwords and a special
  'DES extended format' that isn't widely supported.

* Linux supports MD5 and sometimes '2a' Blowfish, SHA-256, and SHA-512
  and allows up to 16 characters of salt.

* FreeBSD supports MD5 and '2' Blowfish and only allows 8 characters of
  salt, assuming that the manpage is not lying about that.

* NetBSD and OpenBSD support MD5 and '2a' Blowfish, with no stated salt
  size limits for MD5 (their Blowfish is explicitly stated as using a
  128 bit salt).

* Solaris 10 supports MD5, '2a' Blowfish, SHA-256, and SHA-512 with no
  stated limit on salt size.

* AIX supports having additional algorithms, but I couldn't find
  documentation on what additional methods are actually supplied.

(I have skipped algorithms only supported on one Unix. There appear
to be two versions of the Blowfish scheme, one known as '2' and one
known as '2a'.)

Assuming that you don't care about MacOS X and perhaps AIX, MD5 appears
to be your only safe bet if you trust everyone to have implemented it
the same (and you can somehow avoid the salt length problem).  Hopefully
they have; that everyone uses the same format for modular encrypted
passwords (and the same characters for various algorithms) is at least a
good omen.

Sadly, my overall conclusion from this is that old-fashioned _crypt(3)_
passwords are still the safest choice. Enabling anything else would
require careful experimentation to make sure that everything actually
did do, say, 'MD5' encrypted passwords the same and there were not
peculiar limits that were going to be an issue.

(I'm vaguely disappointed by this, as I was hoping to find that by now
it was safe to use something better than plain old _crypt(3)_. I guess
our systems need to stay old-fashioned for a while longer.)