[OpenWrt-Devel] SHA512/SHA256 hashes truncated/busybox weirdness

Felix Fietkau nbd at openwrt.org
Sun Jan 3 14:42:27 EST 2016

On 2016-01-03 20:17, Chris Marchesi wrote:
> Hey!
> I tried to change the default passwd algorithm used by busybox to
> sha512, but got some strange looking hashes back by passwd after changing.
> They basically had the algorithm and the salt (maybe) squashed, like below.
> $6abCDefGH:(rest of shadow entry here)
> Admittedly I'm not used to seeing this, so I'm not too sure if it's an
> issue or not. The passwords still worked after this, but I'm not too
> sure if it was insecure, so I reverted it back to defaults.
> Any ideas? I'm used to seeing a full $6$salt$hash entry.
I think switching from MD5 to SHA256/SHA512 is rather pointless.
It slows down password cracking by a small factor, but not by real
orders of magnitude, so it practically does not make much of a
difference in terms of security.

Since hash functions like MD5, SHA256, etc. are designed to be fast,
they don't provide much real security against hardware assisted brute
force cracking.

All password hash algorithms except for MD5 (default) and DES (for
compatibility reasons) have been stripped from libc to cut down on
useless bloat.

If you care about password storage security, it's better to use a
function that was intentionally designed NOT to be fast, e.g. PBKDF2 or
bcrypt. Feel free to send patches...

- Felix
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list