0

Good night!

I'm using a chpasswd.cgi to change password via web, the problem is that when I change the password to 123456789 it won't work. I'm migrating a proxy server to a new one, and I have more than 2k of password.

I noticed that the crypt() limits the passwords to 8 digits, and i have some password that goes beyond that. I tried to look into /etc/pam.d/common-password but I think that has nothing to do with what I want.

Renobr
  • 3
  • 2

1 Answers1

1

If your script is inheriting a default hash type, changing ENCRYPT_METHOD in /etc/login.defs may do what you're looking for. Depending on what OS release track you're using, available hash types may include, the following (none are great options in modern times):

But sha256crypt or sha512crypt are probably the "least bad".

For those two, you will also want to increase SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS in the next config section to be as high as your users can stand (usually around the 500ms mark is when they'll start to notice). Keeping those values as a range (instead of the same value) will cause each hash to get a different, randomly distributed work factor within that range. This is a desirable countermeasure against cracking tools that work best (or only work) when all work factors are the same (such as hashcat).

Royce Williams
  • 1,487
  • 15
  • 24
  • Hello Royce, thanks for the answer. I'm using Debian 12 to host my proxy server, I tried with BCRYPT, it just won't work. and I can't edit the cgi file. But I use htpasswd to change the passwords, should I try to change something on apache config? I tried to look into it but only find about the hash types and nothing about changing its size. – Renobr Jul 15 '23 at 14:43
  • Ah! htpasswd (the binary) has flags for specifying the hash type - see -m, -B, -d, and -s flags. -B is the most modern, *but* note that depending on setup, the hash will be checked *for every HTTP fetch*. this means that objects-heavy pages (like with a lot of images), can cause many re-checks of the hash, so test in advance - YMMV. – Royce Williams Jul 15 '23 at 16:45
  • We use htpasswd -d, which limits to 8 chara. I don't know what the last person did, that it allowed to change passwords over 8 chara. do you have any ideia of how to do it? I tryed -B to test and it allows over 8 chara. but as you said about the check, I don't know if it' the best solution, i have a virtual server, só I can increase cpu and memory, but my main problem at the moment it that when I deploy the new server, everyone with a password with more than 8 chara. will have to change it, and I want to avoid this headache. – Renobr Jul 15 '23 at 17:23
  • There is no way to convert - if they had long passwords, they have to change them (even just to the same password) so the password can be rehashed. – Royce Williams Jul 15 '23 at 18:04
  • I wish I could edit the chapasswd.cgi, I think that he does the hash with -d. Thanks man. Do you know something about a password changer via website? like the chapasswd.cgi? – Renobr Jul 15 '23 at 19:33