Can I change password encryption type?
I started out with one encryption type (accessible through yast) which is recorded in "/etc/default/passwd", but now I would like to change it to the better encryption method. Is it possible to change the encryption of your passwords of a system already in use? If so, how?
Ann wrote regarding '[SLE] Can I change password encryption type?' on Thu, Aug 19 at 13:47:
I started out with one encryption type (accessible through yast) which is recorded in "/etc/default/passwd", but now I would like to change it to the better encryption method.
Is it possible to change the encryption of your passwords of a system already in use? If so, how?
Not in general. When I've had to do this in the past, I've run a password cracking program on the existing passwords, and those that crack on dictionary words get reencoded. The other accounts get reencoded while I run a sniffer to grab their passwords when they pop their email, etc. A good password encryption algorithm is generally a one-way algorithm, so there's no "converting" happening because there's no way to decrypt aside from things like brute force, etc. Note that if you're using LDAP or similar, multiple encryption schemes aren't really a problem, since the encryption scheme is stored with the password. --Danny
I decided to try it, by cheating and copying the shadow password. I changed the /etc/default/passwd in Yast from one type of encryption to another. You are right. All the existing passwords do not change, but if I changed a password it was encrypted using the new type. They do seem to code the types of the password in the first two characters (looked at /etc/shadow) All the existing passwords worked, so I can eventually change them all to the newer encryption. Thanks for the advice Danny Sauer wrote:
Ann wrote regarding '[SLE] Can I change password encryption type?' on Thu, Aug 19 at 13:47:
I started out with one encryption type (accessible through yast) which is recorded in "/etc/default/passwd", but now I would like to change it to the better encryption method.
Is it possible to change the encryption of your passwords of a system already in use? If so, how?
Not in general. When I've had to do this in the past, I've run a password cracking program on the existing passwords, and those that crack on dictionary words get reencoded. The other accounts get reencoded while I run a sniffer to grab their passwords when they pop their email, etc.
A good password encryption algorithm is generally a one-way algorithm, so there's no "converting" happening because there's no way to decrypt aside from things like brute force, etc.
Note that if you're using LDAP or similar, multiple encryption schemes aren't really a problem, since the encryption scheme is stored with the password.
--Danny
participants (2)
-
Ann Hopkins
-
Danny Sauer