Ubuntu: change default encryption algorithm

While fighting with DB2 denying logins I had to change the default hash algorithm used to store passwords in /etc/shadow.

As far as I know (and as grep -i -r "sha512" /etc/* tells me :-) ), there are two files that carry this information. Namely /etc/pam.d/common-password and /etc/login.defs.

To change the algorithm from sha512 (which shifts as the default in the new Ubuntu releases) change this:


password [success=1 default=ignore] pam_unix.so obscure sha512


password [success=1 default=ignore] pam_unix.so obscure md5





Tags: , ,

2 Responses to “Ubuntu: change default encryption algorithm”

  1. ainande says:

    Hi there

    Thanks for this entry, it is well explained and understandable.
    Yet I still got a question (which hasn't really something to do with the algorithm, but anyway you may have an idea)..
    I'm wondering whether it's possible to reset the passphrase – I may have changed it or just forgot it, and now I wonder if I could maybe encrypt a string (new password) with the right algorithm and then replace the hash of the old password in a specific file (I still can start up my system n all that..)


  2. honza says:

    Hi ainande,

    echo username:password | chpasswd -S -c MD5
    If supports both MD5 and SHA512 (besides others). Salt is generated randomly.

    To generate MD5 password only (without having to give the username) you can use
    openssl passwd –1 -salt xyz
    In this case, you choose the salt.

Leave a Reply