On 2016-01-03 20:17, Chris Marchesi wrote: > Hey! > > I tried to change the default passwd algorithm used by busybox to > sha512, but got some strange looking hashes back by passwd after changing. > > They basically had the algorithm and the salt (maybe) squashed, like below. > > $6abCDefGH:(rest of shadow entry here) > > Admittedly I'm not used to seeing this, so I'm not too sure if it's an > issue or not. The passwords still worked after this, but I'm not too > sure if it was insecure, so I reverted it back to defaults. > > Any ideas? I'm used to seeing a full $6$salt$hash entry. I think switching from MD5 to SHA256/SHA512 is rather pointless. It slows down password cracking by a small factor, but not by real orders of magnitude, so it practically does not make much of a difference in terms of security.
Since hash functions like MD5, SHA256, etc. are designed to be fast, they don't provide much real security against hardware assisted brute force cracking. All password hash algorithms except for MD5 (default) and DES (for compatibility reasons) have been stripped from libc to cut down on useless bloat. If you care about password storage security, it's better to use a function that was intentionally designed NOT to be fast, e.g. PBKDF2 or bcrypt. Feel free to send patches... - Felix _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
