14.4. DES, Blowfish, MD5, SHA256, SHA512, and Crypt

Parts rewritten and updated by Bill Swingle.

Every user on a UNIX® system has a password associated with their account. In order to keep these passwords secret, they are encrypted with a one-way hash, as they can be easily encrypted but not decrypted. The operating system itself does not know the password. It only knows the encrypted form of the password. The only way to get the plain-text password is by a brute force search of the space of possible passwords.

Originally, the only secure way to encrypt passwords in UNIX® was based on the Data Encryption Standard (DES). Since the source code for DES could not be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with other UNIX® variants that used DES. The solution was MD5 which is believed to be more secure than DES.

14.4.1. Recognizing the Crypt Mechanism

Currently the library supports DES, MD5, Blowfish, SHA256, and SHA512 hash functions. To identify which encryption method FreeBSD is set up to use, examine the encrypted passwords in /etc/master.passwd. Passwords encrypted with the MD5 hash are longer than those encrypted with the DES hash and begin with the characters $1$. Passwords starting with $2a$ are encrypted with the Blowfish hash function. DES password strings do not have any particular identifying characteristics, but they are shorter than MD5 passwords, and are coded in a 64-character alphabet which does not include the $ character, so a relatively short string which does not begin with a dollar sign is very likely a DES password. Both SHA256 and SHA512 begin with the characters $6$.

The password format used for new passwords is controlled by the passwd_format login capability in /etc/login.conf, which takes values of des, md5, blf, sha256 or sha512. Refer to login.conf(5) for more information about login capabilities.

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.