{"id":8889,"date":"2024-12-14T01:02:00","date_gmt":"2024-12-14T06:02:00","guid":{"rendered":"https:\/\/www.both.org\/?p=8889"},"modified":"2024-12-12T21:45:27","modified_gmt":"2024-12-13T02:45:27","slug":"how-i-create-encrypted-passwords","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=8889","title":{"rendered":"How I create encrypted passwords"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

I sometimes need to create an encrypted password for use in scripts when adding one or more new user accounts to hosts in my lab. It wouldn’t be very secure to use an unencrypted password in a script so encrypting the password it first is an important step for security.<\/p>\n\n\n\n

There’s an interesting command that we can use to create an encrypted password, mkpasswd<\/strong>. This command allows us to specify the salt to use to create the password, thus allowing us to duplicate the hash if we have both the salt and the plaintext password. Fortunately, we can’t recreate the plaintext password even if we have the hash and the salt. <\/p>\n\n\n\n

WIkipedia has an excellent article on the use of a random salt<\/a> to generate “perturbances” in the encryption algorithm used to generate the password hash.<\/p>\n\n\n\n

Simple password creation<\/h2>\n\n\n\n

The command syntax is mkpasswd PASSWORD [SALT]<\/strong>. The salt can be explicitly specified or, if not supplied, generated randomly at the time the password is hashed. Here’s a simple example using “password” as the password. All the commands in this article can be performed by a non-root user.<\/p>\n\n\n\n

dboth@david:~$ mkpasswd password<\/strong>\n$y$j9T$rAEn1ihmO6rhaE0w.1Z1R0$T7JD74ZeOi2B63TDJpx6aAdjFUEEjVofnOHUvmTcbX7\ndboth@david:~$ mkpasswd password<\/strong>\n$y$j9T$DB6589thfttCAfDmZ0SBX\/$eLSf0XsQ9A8aeopBTXEeRhUjEhkF1w7KUEvMaWpzwh4\ndboth@david:~$ mkpasswd password<\/strong>\n$y$j9T$etVZ43jAi5k3HMeMFewfa.$jEqC0ugThDK2135ZOCdiaDcPlY8fuEA6je6zLRgBst8<\/code><\/pre>\n\n\n\n
Let’s examine the structure of the password hash. There are four fields separated by the $ character. <\/p>\n\n\n\n
The first field defines the type of encryption used, in this case, “y” means Yescrypt. This is the default encryption method used by the mkpasswd<\/strong> command as well as the passwd<\/strong> command when setting passwords for accounts from the command line. The default encryption method for password changed<\/a> in 2021 from sha512 — designated with a 6 in this first field — to Yescrypt because it is more resistant to cracking. Fedora, Debian, Arch, and Ubuntu all use this more secure form of encryption for passwords. Passwords created originally using sha512 will be replaced with Yescrypt passwords when the password is changed. <\/p>\n\n\n\n
The second field is a default set of options for creating the password hash, j9T. Those details are beyond the scope of this article. <\/p>\n\n\n\n
The salt is located in the third field of the password string.  In this example, the salt is both random and different for all three instances. <\/p>\n\n\n\n
The fourth and last field is the hashed password. <\/p>\n\n\n\n
With a user defined salt<\/h2>\n\n\n\n
The mkpasswd<\/strong> command allows the user to define the salt using the -S (–salt=) option but Yescrypt doesn’t allow this. The Yescrypt method always uses long and randomly generated salts to ensure greater security. However less secure methods like sha512 and MD5 allow the user to define the salt.<\/p>\n\n\n\n
dboth@david:~$ mkpasswd -m md5 password -S 12345678<\/strong>\n$1$12345678$o2n\/JiO\/h5VviOInWJ4OQ\/\ndboth@david:~$ mkpasswd -m md5 password -S 12345678<\/strong>\n$1$12345678$o2n\/JiO\/h5VviOInWJ4OQ\/\ndboth@david:~$ mkpasswd -m sha-512 password -S 12345678<\/strong>\n$6$12345678$I8tr4xFAC6\/TtjYWdp0LWEjQre2LcYm2jdSMNLQDIyqRv.cKo7KMD5\/HpzVVFKpUQlIekr\/Vw.OdImtRM85fg\/\ndboth@david:~$ mkpasswd -m sha-512 password -S 12345678<\/strong>\n$6$12345678$I8tr4xFAC6\/TtjYWdp0LWEjQre2LcYm2jdSMNLQDIyqRv.cKo7KMD5\/HpzVVFKpUQlIekr\/Vw.OdImtRM85fg\/<\/code><\/pre>\n\n\n\n
This allows the same password hash to be created by using the same salt and plaintext password. This reduces the overall security of the passwords and makes cracking attacks more effective because one factor, the salt, can be reused in each attempt at brute-forcing a password. This isn’t possible with Yescrypt.<\/p>\n\n\n\n
Supported encryption methods<\/h2>\n\n\n\n
The mkpasswd command supports twelve hashing methods.<\/p>\n\n\n\n
dboth@david:~$ mkpasswd -m help<\/strong>\nAvailable methods:\nyescrypt        Yescrypt\ngost-yescrypt   GOST Yescrypt\nscrypt          scrypt\nbcrypt          bcrypt\nbcrypt-a        bcrypt (obsolete $2a$ version)\nsha512crypt     SHA-512\nsha256crypt     SHA-256\nsunmd5          SunMD5\nmd5crypt        MD5\nbsdicrypt       BSDI extended DES-based crypt(3)\ndescrypt        standard 56 bit DES-based crypt(3)\nnt              NT-Hash<\/code><\/pre>\n\n\n\n
Most of these hashing methods are demonstrably less secure than Yescrypt. <\/p>\n\n\n\n
Summary<\/h2>\n\n\n\n
I thought this would be an easy article, but it turns out — not so much. The mkpasswd<\/strong> command, despite having few options, is far more complex than I originally thought, and the use of the newest encryption methods is an important part of security. I learned more about creating passwords and the additional security afforded by the Yescrypt method, so this was a profitable day.<\/p>\n\n\n\n
Of course the strength of the password itself is a critical factor in the security of any account.<\/p>\n","protected":false},"excerpt":{"rendered":"
I sometimes need to create an encrypted password for use in scripts when adding one or more new<\/p>\n","protected":false},"author":2,"featured_media":2700,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,75],"tags":[662,261],"class_list":["post-8889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-security","tag-password","tag-security"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/8889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8889"}],"version-history":[{"count":22,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/8889\/revisions"}],"predecessor-version":[{"id":8914,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/8889\/revisions\/8914"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/2700"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}