converting password hashes
Miroslav Lachman
000.fbsd at quip.cz
Tue Oct 29 16:55:41 UTC 2019
Wojciech Puchar wrote on 2019/10/29 15:48:
>>>> that doesn't
>>>>
>>>>
>>>> is there a way to make it work without contacting over hundred
>>>> people and telling them what new password they have?
>>>
>>> If it is just MD5 with no salt, I suspect substituting “$1$$” for the
>>> “{PLAIN_MD5}” would be sufficient.
>>
>> I have not checked the code, this might even work (if there is no check
>> for a non-empty hash).
>>
>> But the plain MD5 hashes have to be converted from hex to base64, too,
>> since that is the expected encoding for $1$ password entries ...
>
> tried:
>
> $ echo -n blah|md5|xxd -r -p|base64
> bx7QAqtVlYWQFOvwlRUi2Q==
>
> then i put $1$$bx7QAqtVlYWQFOvwlRUi2Q by vipw in password field
>
> tried to log in with blah password. doesn't work
>
> any more ideas?
MD5 passwords are very weak and should not be used in these days.
Blf-Crypt (bcrypt) or Argon2 is recommended
https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
There is a way you can change password hashes after successful logon
with the old password hash.
This How To is for passwords in MySQL but you can modify it to your
environment with UNIX passwords too.
https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
Only hashes will be changed and nothing will be visible from the user's
point of view, they will use their passwords.
I think it is much better than using MD5 hashes forever.
Miroslav Lachman
More information about the freebsd-hackers
mailing list