Password encryption method question

Hello,

Yast->Security Center and Hardening->Password Settings

Is the password encryption method “Blowfish” the same as “bcrypt”?

Thanks

Guessing, no:

http://en.wikipedia.org/wiki/Bcrypt


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

The reason I’m asking is because the /etc/shadow file on my SLES11SP3
machine contains entries that have the prefix $2y which according to
that article makes it bcrypt??

From Wikipedia:
The prefix “$2a$” or “2y” in a hash string in a shadow password file
indicates that hash string is a bcrypt hash in modular crypt format.

But in yast there is no mention of bcrypt, just Blowfish…

I can’t seem to find a definitive reference.

On 2014-09-18 21:23, ab wrote:[color=blue]

Guessing, no:

http://en.wikipedia.org/wiki/Bcrypt

[/color]

Yeah, and based on that article I’m guessing the terms are being used
interchangeably in Yast. The proof is likely in the fact that one of them
is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
only contains hashes (I’ve never seen an option on Linux to do otherwise,
anyway). Another, probably better, clue, is that it’s fixed-length. Set
a short password, then an insanely-long password. Same-length means you
have a hash (bcrypt) and not the output of something reversible (Blowfish).


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Yes, it’s fixed length for all the passwords in /etc/shadow.

Found some more info on the $2a prefix:
https://www.suse.com/support/security/advisories/2011_35_blowfish.html

I’ve found some info on a couple of websites that use the terms
interchangeably as well.

For example:
http://toves.freeshell.org/bf/
Noticing that SuSE 10.x had a different password hash from RHEL4 (md5)
I was curious.
Its apparently based on the blowfish cipher and originally used in OpenBSD.

If I look at what OpenBSD uses it’s apparently bcrypt.

I’ll just have to install OpenBSD and compare.

On 2014-09-30 23:41, ab wrote:[color=blue]

Yeah, and based on that article I’m guessing the terms are being used
interchangeably in Yast. The proof is likely in the fact that one of them
is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
only contains hashes (I’ve never seen an option on Linux to do otherwise,
anyway). Another, probably better, clue, is that it’s fixed-length. Set
a short password, then an insanely-long password. Same-length means you
have a hash (bcrypt) and not the output of something reversible (Blowfish).

[/color]

So I’ve installed OpenBSD, it sure does look the same.
Same length and copying the hash from Suse to OpenBSD works.
OpenBSD uses the prefix 2a while Suse uses 2y.

On 2014-10-01 00:43, alekz wrote:[color=blue]

Yes, it’s fixed length for all the passwords in /etc/shadow.

Found some more info on the $2a prefix:
https://www.suse.com/support/security/advisories/2011_35_blowfish.html

I’ve found some info on a couple of websites that use the terms
interchangeably as well.

For example:
http://toves.freeshell.org/bf/
Noticing that SuSE 10.x had a different password hash from RHEL4 (md5)
I was curious.
Its apparently based on the blowfish cipher and originally used in OpenBSD.

If I look at what OpenBSD uses it’s apparently bcrypt.

I’ll just have to install OpenBSD and compare.

On 2014-09-30 23:41, ab wrote:[color=green]

Yeah, and based on that article I’m guessing the terms are being used
interchangeably in Yast. The proof is likely in the fact that one of them
is used in /etc/shadow (or /etc/passwd for old/odd installs) since that
only contains hashes (I’ve never seen an option on Linux to do otherwise,
anyway). Another, probably better, clue, is that it’s fixed-length. Set
a short password, then an insanely-long password. Same-length means you
have a hash (bcrypt) and not the output of something reversible (Blowfish).

[/color][/color]