Linux Upgrade Password Hashing Algorithm to SHA-512

The default algorithm for storing password hashes in /etc/shadow is MD5. I was told to use SHA-512 hashing algorithm. How do I set password hashing using the SHA-256 and SHA-512 under CentOS or Redhat Enterprise Linux 5.4?

You need to use authconfig command to setup SHA-256/512 hashing. This command provides a simple method of configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used for shadow password support. Basic LDAP, Kerberos 5, and SMB (authentication) client configuration is also provided.

Display Current Hashing Algorithm

Type the following command:
# authconfig --test | grep hashing
Sample outputs:

password hashing algorithm is md5

Configure Linux Server To Use The SHA-512

To configure the Linux system to use the SHA-512 algorithm, enter:
# authconfig --passalgo=sha512 --update
Note users need to change their passwords in order to generate hashes using SHA-512. You can force users to change their password on next login:
# chage -d 0 userName

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • Andrii Nov 11, 2009 @ 12:52

    Is it works in Debian?

  • iCroc Nov 11, 2009 @ 14:29

    This message appear

    authconfig: Unknown password hashing algorithm specified, using sha256.

  • iCroc Nov 11, 2009 @ 22:19

    I have solved this problem by replacing this command
    authconfig –passalgo=SHA512 –update
    authconfig –passalgo=sha512 –update

    Because no algorithm called SHA512

    Best Regards

  • Philippe Petrinko Nov 12, 2009 @ 10:56

    Hi Vivek,
    This is an Interesting post. Thanks for writing it.

    BTW, would you modify
    # authconfig –passalgo=SHA512 –update

    to lowercase “sha512” as iCroc observed ?

  • kubrick Nov 12, 2009 @ 11:16

    I’ve found this little article for Debian based systems.
    You could change the default MD5 algorithm for the more secure Blowfish.

    On Debian GNU/Linux, switching from the default MD5 algorithm to Blowfish is slightly more work, but still not terribly difficult to accomplish:

    First, install the libpam-unix2 module. That can be done simply via APT, Debian’s software management system, using the command
    # apt-get install libpam-unix2
    Next, edit /etc/pam.d/common-auth, /etc/pam.d/common-account, /etc/pam.d/common-session, and /etc/pam.d/common-password so that in each file you replace with
    Finally, while you are editing the common-password file, change the term md5 so that it reads blowfish instead.


  • 🐧 nixCraft Nov 12, 2009 @ 13:17

    @ iCroc / Philippe

    Thanks for pointing out the typo.

    @ kubrick,

    Thanks for sharing Debian specific information.

  • j0rn Nov 24, 2009 @ 23:45

    nice tip, thx :)
    the algorithm corresponds to the second parameter in shadow passwords entries


    $1$ is md5 while $6$ is sha512, $0$ should be old des and $2$ blowfish I think

    man crypt ;)

    I updated my local users digest “by hand” by modifying the “ENCRYPT_METHOD” directive directly in login.defs, but I didn’t that -more elegant- way to do

  • KING SABRI Jan 11, 2010 @ 1:38

    Thnaks Vivek

    Fedora 12 by Default uses SHA-512
    CentOS-5.4 by Default uses MD5
    Ubuntu by Default uses MD5, But the command Not Found

  • 🐧 nixCraft Jan 11, 2010 @ 4:46

    Try kubrick comment # 5, it may work on Ubuntu too…

  • wedgeshot Apr 7, 2010 @ 14:43

    Actually Ubuntu is sha512 in 9.04 and 9.10. I don’t remember changing anything related to PAM so that should be the default

  • chris Jul 30, 2012 @ 8:54

    sha-512 should not be used for passwords. nor should md5 – you need some kind of HMAC solution instead – see hashcat speeds for a great example of what’s really weak.

  • william Oct 23, 2012 @ 2:35

    does it affect other passwords like application servers installed in the same linux box?

  • Jan Gerrit Kootstra Apr 5, 2016 @ 21:38

    Warning does not seem to work, if you use openldap clients. I have not found the correct syntax to add openldap client support.

  • Arsalan May 23, 2016 @ 18:31

    Awesome Blossom :) thx

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum