What is the default password encryption method used in ubuntu 20.04? is it different from 18.04 LTS
Asked
Active
Viewed 2,716 times
1
-
2Does this answer your question? Acceptable Hashes by shadow – vidarlo Apr 03 '23 at 09:17
-
A quick Google search gives this. The Ubuntu operating system must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm – David Apr 03 '23 at 09:17
-
I answered the question asked by the OP. – David Apr 03 '23 at 09:20
2 Answers
5
Ubuntu does not encrypt anything by default. You have to use specific tools to encrypt. For example, e4crypt, ssh, gpg. Each of these tools may have a default encryption, and some support multiple encryption methods and let you configure the default.
You may notice that passwords are not listed above. That is because Ubuntu does not encrypt passwords, and no safe system does, because encryption is designed to be reversed and is typically fast, which would allow multiple guesses at passwords in a short time. Passwords are hashed in a lossy non-reversible way that is cryptographically secure and slow, so that even if the hashed password is leaked, it will take significant time to guess it from the hash.
Multiple password hash methods are supported, and the Ubuntu default configuration is to accept all of them, so if you upgrade and don't change your password, or even copy your hashed password from an original Unix system (e.g., sysVr4) it will still work.
The default password hash method is set in /etc/login.defs with the keyword (ironically) ENCRYPT_METHOD and new passwords will be hashed with this method. I believe the default for Ubuntu 18.04 - Ubuntu 22.04 has been SHA512.
user10489
- 4,051
0
@user10489 has a pretty good answer, but let me add to it.
The authentication process is managed by PAM on Debian and thus Ubuntu, and is configurable in /etc/pam.d/common-password. Pay attention to the line (example from my ubuntu 22.04 system)
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
You can see that my ubuntu system uses yescrypt, and there is a comment in the same file that documents yescrypt as the default since Debian 11 (and thus Ubuntu 21.10ish? not sure of the mapping).
# Explanation of pam_unix options:
# The "yescrypt" option enables
#hashed passwords using the yescrypt algorithm, introduced in Debian
#11. Without this option, the default is Unix crypt. Prior releases
#used the option "sha512"; if a shadow password hash will be shared
#between Debian 11 and older releases replace "yescrypt" with "sha512"
#for compatibility . The "obscure" option replaces the old
#`OBSCURE_CHECKS_ENAB' option in login.defs. See the pam_unix manpage
#for other options.
wangd
- 1