DES to MD5 (mini) HOWTO

DES to MD5 (mini) HOWTO


        If there are any questions or comments, please direct them to The newest copy of this HowTo can always be retrieved
from All rights for the reproduction of this
document are reserved.


	This mini-HowTo will quickly discuss the FreeBSD system encryption
libraries and how to switch between DES and MD5 encryption schemes in
2.2.8, 3.x, and 4.0 FreeBSD systems.


	The FreeBSD system, by default, makes use of the MD5 encryption
scheme for passwords because of no export restriction. In addition, MD5 is
more secure than DES, which is mostly useful for backwards compatibility
where password files must be shared with other UNIX systems also using

	One can easily determine which encryption scheme is being used by
checking what libraries the libcrypt[._]* links in /usr/lib are linked
against. If they are linked against libscrypt* libraries, then MD5 is
being used, and if they are linked against libdescrypt* then DES is being
used. For instance, the follows lines indicate the system they are from
uses MD5 as its password encryption scheme:

(lasker@nu)/usr/lib>% ls -l libcrypt[._]*
lrwxr-xr-x  1 root  wheel       11 Jun  9 06:18 /usr/lib/libcrypt.a@ ->
lrwxr-xr-x  1 root  wheel       12 Jun  9 06:19 /usr/lib/ ->
lrwxr-xr-x  1 root  wheel       14 Jun  9 06:21 /usr/lib/ ->
lrwxr-xr-x  1 root  wheel       13 Jun  9 06:22 /usr/lib/libcrypt_p.a@ ->

	Switching Libraries.

	It is strongly recommended that the MD5 libraries be used instead
of DES whenever possible. As such, it may be necessary to switch libraries
if one has installed a system with DES encryption. This can be easily
accomplished by deleting the libcrypt[._]* links and recreating them by
linking them against the appropriate libraries, which are, simply,
libraries with the same name except with an 's' where there is 'des' in
each of their names. Following is a convenient table for sorting out the
encryption libraries:

	Links			DES			MD5
	-----			---			---

	libcrypt.a		libdescrypt.a		libscrypt.a
	libcrypt_p.a		libdescrypt_p.a		libscrypt_p.a


	A system using DES can still authenticate passwords encrypted in
MD5 as the MD5 hash is used in DES, however, not the other way around. One
can quickly check how a password has been encrypted by looking into
/etc/master.passwd. MD5 passwords are twice as long as DES passwords and
invariably begin with the string "$1$". For this, MD5 and DES passwords
can be easily identified. If one has a mixed batch of passwords encrypted
with both schemes it may be better to stay with the DES encryption
libraries, unless one can unproblematically re-encrypt all passwords in
the MD5 scheme.


	man 9 MD5
	man 1 bdes
	man 1 md5

Leave a Reply

Your email address will not be published. Required fields are marked *