Sandfly Blog

Linux systems face growing threats, making password security critical. Our white paper and video below on Linux password hashes exposes the risks of outdated hashing algorithms and provides practical solutions:

White Paper: Linux Password Hash Risks

Linux Password Hashing Risks

Over the years, password hashes on Linux have been updated to stay ahead of advances in hardware brute force attacks. However, Linux systems often use legacy hashes with poor passwords making credential theft a significant risk. In the paper and video above we go over the range of hashes available to protect Linux today and rate them as follows:

• Obsolete: Weak options like descrypt, SHA1, and md5crypt are easily attacked.
• Borderline: Algorithms such as sha256crypt, sha512crypt, and bcrypt variants offer good protection but can be open to modern brute force speeds if passwords are not chosen carefully.
• Good: Modern choices like scrypt and yescrypt resist attacks effectively against modern GPU and ASIC attacks if good passwords are used.

Passwords: Length Equals Strength

Strong hashes alone aren’t enough—passwords must be robust. Our white paper advises a minimum of 15 characters, but passphrases (e.g., seven-word Diceware-generated strings) are ideal. They’re both highly secure and easier to remember than complex passwords.

Hashes Aren’t Foolproof

Even with solid hashing, a breached system lets attackers grab passwords in plaintext though sniffing and other attacks. Sandfly suggests moving beyond passwords entirely, but since they’re still common, combining strong passwords with modern hashes is vital. Additionally, embedded devices often rely on weak default passwords and outdated hashes, making them prime targets. Sandfly’s agentless security tools can spot these vulnerabilities, securing systems that are often ignored.

Steps to Secure Password Hashes

Sandfly can help find obsolete password hashes and audit systems for weak passwords that can lead to immediate compromise. Please see the white paper above, and our white paper on agentless password auditing, to see how Sandfly can protect systems agentlessly against these threats.