Changing the Default Password Encryption Algorithm on Solaris[TM] to Use Blowfish, MD5 or Any Other Algorithm (Doc ID 1001835.1)

Last updated on JUNE 13, 2023

Applies to:

Goal

In the era of increased security awareness, many people are looking for better ways to encrypt data and passwords.
This document details the steps necessary to configure Solaris[TM] 9 12/02 and later to use Blowfish or MD5 encryption algorithm as the default method for encrypting user passwords.

Every user on a UNIX system has a password associated with their login account. These passwords are encrypted in a one-way hash using the traditional UNIX crypt algorithm (crypt_unix).
This algorithm is no longer considered sufficiently secure for current systems and is provided for backward compatibility. This remains the default algorithm used for password encryption on Solaris[TM].

One of the biggest limitations is that only the first 8 characters of the key passed to this algorithm are used. The rest are silently ignored.  See the crypt_unix(5) man page for further details.

Solaris 9 12/02 introduces the ability to change the default encryption algorithm for passwords to use the Blowfish (crypt_bsdbf) or MD5 (crypt_sunmd5/crypt_bsdmd5) algorithms.

Solaris 10 introduced support for the SHA256 (crypt_sha256) and SHA512 (crypt_sha512) encryption algorithms.

There are two versions of the MD5 algorithm:

• crypt_sunmd5: This is Sun's implementation of the MD5 algorithm
• crypt_bsdmd5: This is the BSD implementation of the MD5 algorithm and provides compatibility with md5crypt on BSD and Linux systems.

Solution