PDA

View Full Version : Password encryption method question



alekz
18-Sep-2014, 19:51
Hello,

Yast->Security Center and Hardening->Password Settings

Is the password encryption method "Blowfish" the same as "bcrypt"?

Thanks

ab
18-Sep-2014, 20:23
Guessing, no:

http://en.wikipedia.org/wiki/Bcrypt


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

alekz
30-Sep-2014, 22:27
The reason I'm asking is because the /etc/shadow file on my SLES11SP3
machine contains entries that have the prefix $2y which according to
that article makes it bcrypt??

From Wikipedia:
The prefix "$2a$" or "2y" in a hash string in a shadow password file
indicates that hash string is a bcrypt hash in modular crypt format.

But in yast there is no mention of bcrypt, just Blowfish...

I can't seem to find a definitive reference.

On 2014-09-18 21:23, ab wrote:
> Guessing, no:
>
> http://en.wikipedia.org/wiki/Bcrypt
>
>

ab
30-Sep-2014, 22:41
Yeah, and based on that article I'm guessing the terms are being used
interchangeably in Yast. The proof is likely in the fact that one of them
is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
only contains hashes (I've never seen an option on Linux to do otherwise,
anyway). Another, probably better, clue, is that it's fixed-length. Set
a short password, then an insanely-long password. Same-length means you
have a hash (bcrypt) and not the output of something reversible (Blowfish).


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

alekz
30-Sep-2014, 23:43
Yes, it's fixed length for all the passwords in /etc/shadow.

Found some more info on the $2a prefix:
https://www.suse.com/support/security/advisories/2011_35_blowfish.html

I've found some info on a couple of websites that use the terms
interchangeably as well.

For example:
http://toves.freeshell.org/bf/
Noticing that SuSE 10.x had a different password hash from RHEL4 (md5)
I was curious.
Its apparently based on the blowfish cipher and originally used in OpenBSD.

If I look at what OpenBSD uses it's apparently bcrypt.

I'll just have to install OpenBSD and compare.

On 2014-09-30 23:41, ab wrote:
> Yeah, and based on that article I'm guessing the terms are being used
> interchangeably in Yast. The proof is likely in the fact that one of them
> is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
> only contains hashes (I've never seen an option on Linux to do otherwise,
> anyway). Another, probably better, clue, is that it's fixed-length. Set
> a short password, then an insanely-long password. Same-length means you
> have a hash (bcrypt) and not the output of something reversible (Blowfish).
>
>

alekz
02-Oct-2014, 23:53
So I've installed OpenBSD, it sure does look the same.
Same length and copying the hash from Suse to OpenBSD works.
OpenBSD uses the prefix 2a while Suse uses 2y.

On 2014-10-01 00:43, alekz wrote:
> Yes, it's fixed length for all the passwords in /etc/shadow.
>
> Found some more info on the $2a prefix:
> https://www.suse.com/support/security/advisories/2011_35_blowfish.html
>
> I've found some info on a couple of websites that use the terms
> interchangeably as well.
>
> For example:
> http://toves.freeshell.org/bf/
> Noticing that SuSE 10.x had a different password hash from RHEL4 (md5)
> I was curious.
> Its apparently based on the blowfish cipher and originally used in OpenBSD.
>
> If I look at what OpenBSD uses it's apparently bcrypt.
>
> I'll just have to install OpenBSD and compare.
>
> On 2014-09-30 23:41, ab wrote:
>> Yeah, and based on that article I'm guessing the terms are being used
>> interchangeably in Yast. The proof is likely in the fact that one of them
>> is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
>> only contains hashes (I've never seen an option on Linux to do otherwise,
>> anyway). Another, probably better, clue, is that it's fixed-length. Set
>> a short password, then an insanely-long password. Same-length means you
>> have a hash (bcrypt) and not the output of something reversible (Blowfish).
>>
>>