Every user on a UNIX® system has a password associated with their account. In order to keep these passwords secret, they are encrypted with a “one-way hash”, as they can be easily encrypted but not decrypted. The operating system itself does not know the password. It only knows the encrypted form of the password. The only way to get the “plain-text” password is by a brute force search of the space of possible passwords.
Originally, the only secure way to encrypt passwords in UNIX® was based on the Data Encryption Standard (DES). Since the source code for DES could not be exported outside the US, FreeBSD had to find a way to both comply with US law and retain compatibility with other UNIX® variants that used DES. The solution was MD5 which is believed to be more secure than DES.
Currently the library supports DES,
MD5, Blowfish, SHA256, and SHA512 hash functions. To identify
which encryption method FreeBSD is set up to use, examine the
encrypted passwords in
/etc/master.passwd. Passwords encrypted
with the MD5 hash are longer than those encrypted with the
DES hash and begin with the characters
$1$. Passwords starting with
$2a$ are encrypted with the
Blowfish hash function. DES password
strings do not have any particular identifying
characteristics, but they are shorter than MD5 passwords, and
are coded in a 64-character alphabet which does not include
the $ character, so a relatively
short string which does not begin with a dollar sign is very
likely a DES password. Both SHA256 and
SHA512 begin with the characters
$6$.
The password format used for new passwords is controlled
by the passwd_format login capability in
/etc/login.conf, which takes values of
des, md5,
blf, sha256 or
sha512. Refer to login.conf(5) for
more information about login capabilities.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.