From: unruh@invalid.ca   
      
   On 2012-06-09, Bit Twister  wrote:   
   > Anyone know the system configuration file which defines the hash   
   > function used to hash/encript the user passwords?   
      
   There is none. It is part of the passwd program AFAIK. Once it is done,   
   then there is a set format which tells the passwd program what hash is   
   used. Thus a DES based traditional password is 13 letters long. The BSD,   
   MD5 based hash (it is not MD5, it is god auful mess which uses MD5 as   
   well as a bunch of other junk to slow down MD5 and to "improve" it)   
   starts with $2. Others start with other signals to the passwd program.   
      
   >   
   > After reading about the LinkedIn crack, I thought I would see about a   
   > stronger hash.   
      
   Have no idea what this is about, but it looks like it simply a brute   
   force attack, which NO hash can protect against. It is like installing a   
   super high security, triple steel plated door on your house and leaving   
   the key under the mat at the front door. And when you hear your neighbor   
   was broken into, you put another layer of steel on the door, but leave   
   the key where it is.   
      
   The problem is NOT the hash. Even the DES based Unix hash is plenty   
   strong (but is suscetible to brute force cracking if someone really   
   wants to spend the time). You are far far better off looking elsewhere   
   for the biggest security weakness in your system ( which may be how you   
   choose your password) rather than worrying about the hash being used.   
   Most Linux systems now use the BSD/MD5 based hash which is pleanty   
   strong enough.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)