Front | Info | Lists | Newsfeeds | Study Guide | What is BSD?
Advertisement: The OpenBSD PF Packet Filter Book: PF for NetBSD, FreeBSD, DragonFly and OpenBSD

BSD Links
·New Links
·User Groups

This is the BSDA Study Guide Book written via a wiki collaboration. This is a work in progress. You may contribute to or discuss this specific page at

Change the encryption algorithm used to encrypt the password database


Given a screenshot of a password database, an admin should be able to recognize the encryption algorithm in use and how to select another algorithm. Have a basic understanding of when to use DES, MD5 and Blowfish.


TODO: test and document on other BSD systems -- as appropriate make this content not BSD specific

On NetBSD, the passwd(1) command (covered in section TODO) can use an /etc/passwd.conf configuration to choose the password algorithm. The format is ..TODO... The default is "old" which is the common crypt(3) DES encryption scheme. TODO: passwd.c doesn't call pw_getconf() so I think it must use pam for this?

The following are examples of different results based on the same password.

  • old but common crypt(3) DES: 7rpABVh3LoKjE
  • MD5: $1$FSh3ps5T$Etg/3eGiSBqdGahf29lIN1
  • NetBSD newsalt: _Gl/.Sw2RBVnj01TI6Tc
  • SHA1: $sha1$21773$uV7PTeux$I9oHnvwPZHMO0Nq6/WgyGV/tDJIH
  • Blowfish: $2a$04$3/vwv4ibdVz2SUG3w.SRwOgI6kk7FUmmCVswZ/KUS9bngvgGEkqNq

As you can see, the new algorithms use a format that can be recognized by routines (like TODO) so they know what to compare with. TODO: show this format

(Note while high rounds may improve security, it can be expensive -- very slow to generate hash.) TODO: reword this or better explain


Practice Exercises

More information

login.conf(5); auth.conf(5); passwd.conf(5); adduser.conf(5) and adduser(8)

Front | Information | Lists | Newsfeeds