Date: Tue, 29 Oct 2019 15:48:20 +0100 (CET) From: Wojciech Puchar <wojtek@puchar.net> To: =?ISO-8859-15?Q?Stefan_E=DFer?= <se@freebsd.org> Cc: freebsd-hackers@freebsd.org Subject: Re: converting password hashes Message-ID: <alpine.BSF.2.20.1910291542300.2087@puchar.net> In-Reply-To: <6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org> References: <alpine.BSF.2.20.1910291310310.72617@puchar.net> <1A7D3067-D5D6-47A0-9F42-FCBF8A1A856D@transactionware.com> <6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> that doesn't
>>>
>>>
>>> is there a way to make it work without contacting over hundred people and telling them what new password they have?
>>
>> If it is just MD5 with no salt, I suspect substituting “$1$$” for the “{PLAIN_MD5}” would be sufficient.
>
> I have not checked the code, this might even work (if there is no check
> for a non-empty hash).
>
> But the plain MD5 hashes have to be converted from hex to base64, too,
> since that is the expected encoding for $1$ password entries ...
tried:
$ echo -n blah|md5|xxd -r -p|base64
bx7QAqtVlYWQFOvwlRUi2Q==
then i put $1$$bx7QAqtVlYWQFOvwlRUi2Q by vipw in password field
tried to log in with blah password. doesn't work
any more ideas?
From owner-freebsd-hackers@freebsd.org Tue Oct 29 16:55:41 2019
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id D1BC515C874
for <freebsd-hackers@mailman.nyi.freebsd.org>;
Tue, 29 Oct 2019 16:55:41 +0000 (UTC)
(envelope-from SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 472d4r4rW2z3JDq;
Tue, 29 Oct 2019 16:55:40 +0000 (UTC)
(envelope-from SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
by elsa.codelab.cz (Postfix) with ESMTP id B62D728422;
Tue, 29 Oct 2019 17:55:37 +0100 (CET)
Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz
[62.24.92.232])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by elsa.codelab.cz (Postfix) with ESMTPSA id 412472840C;
Tue, 29 Oct 2019 17:55:36 +0100 (CET)
Subject: Re: converting password hashes
To: Wojciech Puchar <wojtek@puchar.net>, =?UTF-8?Q?Stefan_E=c3=9fer?=
<se@freebsd.org>
Cc: freebsd-hackers@freebsd.org
References: <alpine.BSF.2.20.1910291310310.72617@puchar.net>
<1A7D3067-D5D6-47A0-9F42-FCBF8A1A856D@transactionware.com>
<6bc3f2ec-0b2b-bbcc-2636-7130f8567bb4@freebsd.org>
<alpine.BSF.2.20.1910291542300.2087@puchar.net>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <9952a3b8-025f-2f8a-139f-417a2b0dcec9@quip.cz>
Date: Tue, 29 Oct 2019 17:55:35 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
Firefox/52.0 SeaMonkey/2.49.3
MIME-Version: 1.0
In-Reply-To: <alpine.BSF.2.20.1910291542300.2087@puchar.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 472d4r4rW2z3JDq
X-Spamd-Bar: ++++
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
spf=none (mx1.freebsd.org: domain of
SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking
94.124.105.4) smtp.mailfrom=SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz
X-Spamd-Result: default: False [4.08 / 15.00]; ARC_NA(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[];
RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[];
IP_SCORE(0.90)[ip: (0.43), ipnet: 94.124.104.0/21(0.22), asn: 42000(3.77),
country: CZ(0.09)]; MIME_GOOD(-0.10)[text/plain];
RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz];
AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.99)[0.986,0];
RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
NEURAL_SPAM_LONG(0.99)[0.993,0];
RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0];
R_SPF_NA(0.00)[];
FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz];
R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ];
FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=bdhP=YW=quip.cz=000.fbsd@elsa.codelab.cz];
MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
<freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>;
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 16:55:41 -0000
Wojciech Puchar wrote on 2019/10/29 15:48:
>>>> that doesn't
>>>>
>>>>
>>>> is there a way to make it work without contacting over hundred
>>>> people and telling them what new password they have?
>>>
>>> If it is just MD5 with no salt, I suspect substituting “$1$$” for the
>>> “{PLAIN_MD5}” would be sufficient.
>>
>> I have not checked the code, this might even work (if there is no check
>> for a non-empty hash).
>>
>> But the plain MD5 hashes have to be converted from hex to base64, too,
>> since that is the expected encoding for $1$ password entries ...
>
> tried:
>
> $ echo -n blah|md5|xxd -r -p|base64
> bx7QAqtVlYWQFOvwlRUi2Q==
>
> then i put $1$$bx7QAqtVlYWQFOvwlRUi2Q by vipw in password field
>
> tried to log in with blah password. doesn't work
>
> any more ideas?
MD5 passwords are very weak and should not be used in these days.
Blf-Crypt (bcrypt) or Argon2 is recommended
https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
There is a way you can change password hashes after successful logon
with the old password hash.
This How To is for passwords in MySQL but you can modify it to your
environment with UNIX passwords too.
https://wiki2.dovecot.org/HowTo/ConvertPasswordSchemes
Only hashes will be changed and nothing will be visible from the user's
point of view, they will use their passwords.
I think it is much better than using MD5 hashes forever.
Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.20.1910291542300.2087>