How I create encrypted passwords
I sometimes need to create an encrypted password for use in scripts when adding one or more new user accounts to hosts in my lab. It wouldn’t be very secure to use an unencrypted password in a script so encrypting the password it first is an important step for security.
There’s an interesting command that we can use to create an encrypted password, mkpasswd. This command allows us to specify the salt to use to create the password, thus allowing us to duplicate the hash if we have both the salt and the plaintext password. Fortunately, we can’t recreate the plaintext password even if we have the hash and the salt.
WIkipedia has an excellent article on the use of a random salt to generate “perturbances” in the encryption algorithm used to generate the password hash.
Simple password creation
The command syntax is mkpasswd PASSWORD [SALT]. The salt can be explicitly specified or, if not supplied, generated randomly at the time the password is hashed. Here’s a simple example using “password” as the password. All the commands in this article can be performed by a non-root user.
dboth@david:~$ mkpasswd password
$y$j9T$rAEn1ihmO6rhaE0w.1Z1R0$T7JD74ZeOi2B63TDJpx6aAdjFUEEjVofnOHUvmTcbX7
dboth@david:~$ mkpasswd password
$y$j9T$DB6589thfttCAfDmZ0SBX/$eLSf0XsQ9A8aeopBTXEeRhUjEhkF1w7KUEvMaWpzwh4
dboth@david:~$ mkpasswd password
$y$j9T$etVZ43jAi5k3HMeMFewfa.$jEqC0ugThDK2135ZOCdiaDcPlY8fuEA6je6zLRgBst8Let’s examine the structure of the password hash. There are four fields separated by the $ character.
The first field defines the type of encryption used, in this case, “y” means Yescrypt. This is the default encryption method used by the mkpasswd command as well as the passwd command when setting passwords for accounts from the command line. The default encryption method for password changed in 2021 from sha512 — designated with a 6 in this first field — to Yescrypt because it is more resistant to cracking. Fedora, Debian, Arch, and Ubuntu all use this more secure form of encryption for passwords. Passwords created originally using sha512 will be replaced with Yescrypt passwords when the password is changed.
The second field is a default set of options for creating the password hash, j9T. Those details are beyond the scope of this article.
The salt is located in the third field of the password string. In this example, the salt is both random and different for all three instances.
The fourth and last field is the hashed password.
With a user defined salt
The mkpasswd command allows the user to define the salt using the -S (–salt=) option but Yescrypt doesn’t allow this. The Yescrypt method always uses long and randomly generated salts to ensure greater security. However less secure methods like sha512 and MD5 allow the user to define the salt.
dboth@david:~$ mkpasswd -m md5 password -S 12345678
$1$12345678$o2n/JiO/h5VviOInWJ4OQ/
dboth@david:~$ mkpasswd -m md5 password -S 12345678
$1$12345678$o2n/JiO/h5VviOInWJ4OQ/
dboth@david:~$ mkpasswd -m sha-512 password -S 12345678
$6$12345678$I8tr4xFAC6/TtjYWdp0LWEjQre2LcYm2jdSMNLQDIyqRv.cKo7KMD5/HpzVVFKpUQlIekr/Vw.OdImtRM85fg/
dboth@david:~$ mkpasswd -m sha-512 password -S 12345678
$6$12345678$I8tr4xFAC6/TtjYWdp0LWEjQre2LcYm2jdSMNLQDIyqRv.cKo7KMD5/HpzVVFKpUQlIekr/Vw.OdImtRM85fg/This allows the same password hash to be created by using the same salt and plaintext password. This reduces the overall security of the passwords and makes cracking attacks more effective because one factor, the salt, can be reused in each attempt at brute-forcing a password. This isn’t possible with Yescrypt.
Supported encryption methods
The mkpasswd command supports twelve hashing methods.
dboth@david:~$ mkpasswd -m help
Available methods:
yescrypt Yescrypt
gost-yescrypt GOST Yescrypt
scrypt scrypt
bcrypt bcrypt
bcrypt-a bcrypt (obsolete $2a$ version)
sha512crypt SHA-512
sha256crypt SHA-256
sunmd5 SunMD5
md5crypt MD5
bsdicrypt BSDI extended DES-based crypt(3)
descrypt standard 56 bit DES-based crypt(3)
nt NT-HashMost of these hashing methods are demonstrably less secure than Yescrypt.
Summary
I thought this would be an easy article, but it turns out — not so much. The mkpasswd command, despite having few options, is far more complex than I originally thought, and the use of the newest encryption methods is an important part of security. I learned more about creating passwords and the additional security afforded by the Yescrypt method, so this was a profitable day.
Of course the strength of the password itself is a critical factor in the security of any account.
More Stories
Top Eleven Articles on AI this year
These days, there is a growing excitement about artificial intelligence and its potential benefits. Whether you support or criticize this...
How many releases of Fedora can I upgrade from?
Upgrades are an important part of a SysAdmin's job, whether you know you're one or not. If you think about...
Best Articles of 2024 about Linux system tools
Linux has many excellent tools that allow SysAdmins to manage our systems. We've published many articles this year about those...
Happy birthday Both.org
On December 11, 2023. Both.org morphed from being simply my personal website to being a replacement for Opensource.com (OSDC). On...
How to install FreeDOS the old-school way
Here’s how to install FreeDOS the old-fashioned way, with every step done by hand.
Remove Background from Photos for Holiday Card Creation with Python
You can use open-source tools to produce holiday cards this year. Suppose you have a great photo of your family...