# change password encryption scheme



## fluca1978 (Mar 28, 2013)

Suppose I want to change the password format for a machine that has already accounts.
I change the login class (suppose the default one) as follows:

```
default:\
 :passwd_format=blf:\
```
then run cap_mkdb(1). Does it this suffice or am I supposed to run also pwd_mkdb(1)? Because running only cap_mkdb(1) does not change the /etc/pwd.db files.
Or am I doing a totally wrong procedure?


----------



## SirDice (Mar 28, 2013)

New passwords will use the new scheme, the old passwords however will not change until the user changes their password.

If you think about it, it's not possible to change the hashing algorithm on existing passwords, you don't know what the password is so you cannot re-hash it with a new scheme.


----------



## fonz (Mar 28, 2013)

pwd_mkdb(8) does not "re-encrypt" passwords. In fact, I think that's pretty much impossible. The passwords have to be changed manually for the new format to take effect.


----------



## fluca1978 (Mar 28, 2013)

SirDice said:
			
		

> If you think about it, it's not possible to change the hashing algorithm on existing passwords, you don't know what the password is so you cannot re-hash it with a new scheme.



Thanks, I was realizing it by myself...
However, having changed the pwd_format, how can the old hash be checked when an user logs in?


----------



## fonz (Mar 28, 2013)

fluca1978 said:
			
		

> having changed the _pwd_format_, how can the old hash be checked when an user logs in?


The password hash has a prefix telling which encryption scheme was used. For example, MD5 hashes start with $1$, $2a$ means Blowfish etc. It's all documented in the man page: see crypt(3).


----------



## SirDice (Mar 28, 2013)

If I remember correctly the first few bytes of the hashed password indicate the hashing scheme that was used. The passwd_format 'variable' only comes into play when setting the password, not when checking it.


----------

