Páginas

Tuesday, 29 September 2015

Password hash algorithm


Hash is a cryptography term for a one-way function. The input to the hash algorithm is the clear-text password and the output is a encrypted string of characters. Hashes are “one way” because the encrypted string of characters can’t be directly decrypted.

Hash algorithms use a concept called “salt” to increase their security. When a user sets a password, AIX generates a bit of random data—the salt—to make the password hash even more extraordinary.
The main reason for salting is to prevent pre-computed dictionary attacks aimed at cracking the password hash

Although no example of a SHA-1 collision has been published yet, the security margin left by SHA-1 is weaker than intended, and its use is therefore no longer recommended for applications that depend on collision resistance, such as digital signatures. Although SHA-2 bears some similarity to the SHA-1 algorithm, these attacks have not been successfully extended to SHA-2

Although you change this, the new hash is not in place until the password for the user is also changed.

AIX

To change the password hash algorithm, you can use the following command syntax and specify one of the password algorithm options (in this example, SHA512)

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512


LINUX

To inspect available algorithm choices:
authconfig --help | grep passalgo
To check the current algorithm
authconfig --test | grep algo

To update the algorithm
authconfig --passalgo=sha512 --update
This command modifies /etc/pam.d/system-auth,/etc/login.defs, /etc/libuser.conf and/etc/sysconfig/authconfig and thus will have no effect (good or bad) on the password hashes already stored in /etc/passwdord /etc/shadow


SOLARIS

Look at the following file to check the hashes allowed in the system and coohse the one you wan to use# cat /etc/security/policy.conf

Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)