Results 1 to 10 of 10

Thread: HOWTO: Blowfish passwords && password checks

Threaded View

  1. #1
    Join Date
    Sep 2005

    HOWTO: Blowfish passwords && password checks

    Ubuntu uses per default md5 hashed passwords.
    md5 is a 128bit hash and nowadays not too secure anymore. has a description of hash collisions.

    There is support for an alternate hash, blowfish. This has proven quite secure in openbsd.

    To enable it, you have to install libpam-unix2.
    apt-get install libpam-unix2
    Next replace all references of with in all files under /etc/pam.d

    Note: The number of references in the files depends on installed pam modules.

    In common-password add the following:
    password required nullok use_authok obscure min=9 max=72     blowfish
    To enable password checks when changing passwords, install
    and add the following to your /etc/pam.d/common-password:
    apt-get install libpam-passwdqc
    edit /etc/pam.d/common-password and add
    password required max=72 similar=deny enforce=everyone retry=2 ask_oldauthtok=update check_oldauthtok
    for a list of options look at

    Note: To finalize the changes, all passwords have to be reentered!!
    If you restart at this point, you will be unable to log in again!
    Set a new password with the passwd command ( can be the same as before, but it has to be reset to use the new hash!)

    Problems: For those of you in trouble after a reboot:
    you can boot to your system without a password, if you append a init=/bin/bash to your grub kernel parameter.
    To enter that, type "e" at the grup prompt and you can edit the entry.

    IMPORTANT: This does only secure Ubuntu passwords! You still can log in with things like knoppix or other methods like deskribed above!
    For a fully secured system you have to encrypt harddrives!

    There have been some problems (experienced by me and others) when using gnome-screensaver.
    The problem relies in the libpam-unix2 package. It does not feature a equivalent for unix_checkpwd.

    There are already bugreports at and

    Someone willing to try can compile the patch from novell and try out the unix2_checkpwd program and report back.
    Last edited by NiN; June 13th, 2007 at 07:54 PM. Reason: make it look prettier


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts