Change password hashing algorithm for SuSE users from blowfish to MD5

Question

I have a network of roughly 1000 SuSE machines with 20-200 users on each. The password hashing algorithm used is the default i.e. blowfish. In order to check, whether a user has used a dictionary word as the password, have written a small utility that uses a crypt system call. The crypt system call for blowfish runs 10 cycles and performs very slowly. That makes use of blowfish with 10 iterations as the password hashing algorithm not feasible. Hence want to change the hashing algorithms for all the users on all the machines to MD5. Can somebody suggest a way which requires least or no work at all for the users.

Answer 1

You're sort of asking this question:

changing shadow hash algorithm to bcrypt: how to rehash

at least in terms of changing from one hash to another for /etc/shadow. Your least-work way would be to force everyone to change their passwords, after you have MD5 in place (though, I suppose, using something like SHA wouldn't be a bad thing, either).

With regard to preventing users from re-entering passwords based on dictionary words, look at running cracklib as they enter the password, not retroactively. This should be done through PAM (e.g., pam_cracklib.so is invoked for password changes) Here's the CentOS package info for cracklib:

Name       : cracklib
Arch       : i386
Version    : 2.8.9
Release    : 3.3
Size       : 140 k
Repo       : installed
Summary    : A password-checking library.
URL        : http://sourceforge.net/projects/cracklib/
License    : Artistic
Description: CrackLib tests passwords to determine whether they match certain
           : security-oriented characteristics, with the purpose of stopping users
           : from choosing passwords that are easy to guess. CrackLib performs
           : several tests on passwords: it tries to generate words from a username
           : and gecos entry and checks those words against the password; it checks
           : for simplistic patterns in passwords; and it checks for the password
           : in a dictionary.

There should be a package or library along those lines for SuSE.

Answer 2

That's the point. If you are worried about people getting your password hashes and cracking them (like you are trying to do), you should use the stronger hash to make this more difficult.

If you are not worried about people getting your password hashes, you shouldn't waste any time hashing them and just store them in plain text.

If you want to prevent your users from choosing insecure passwords, it would be better to prevent them from choosing insecure passwords using something like passwdqc than race against crackers to catch them after the fact.