Moving from MD5 to Blowfish on Debian/Ubuntu

By default, Debian & Ubuntu use MD5 to hash your passwords. While this is relatively secure, using Blowfish instead is (much?) better.

As I’m not a cryptographer, I have no idea how much better it is. But switching is incredibly easy, and there are no downsides, AFAIK. Follow along…

First, you need to install libpam-unix2, the pam module which uses Blowfish. This is only an apt-get away…

Next, replace ‘’ by ‘’ in /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session & /etc/pam.d/common-password.

In /etc/pam.d/common-password, you also need to change ‘md5’ to ‘blowfish’.

And while you’re at it, change ‘max=8’ (still in /etc/pam.d/common-password) to something higher, like ‘max=20’. It is my understanding that this limits the max size of your password. While you can still use a password longer than 8 chars, it’ll just ignore everything after the 8th char.

Those are all the changes you need to make your system start using Blowfish. You will need to create Blowfish hashes though (obviously), so the changes only apply to newly created accounts or when you change (or re-set) your password (using ‘passwd’).

I have only basic knowledge of pam, so some of these modifications may be redundant. Or there might be an even easier way to change it – I don’t know, but these changes will most certainly make it work.


1 Comment »

  1. adam said

    dear ludo,

    Is it really possible that we can convert md5 password to blowfish ? this application is due to the utility of jumphost.



RSS feed for comments on this post · TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: