FreeBSD: Good-bye, md5crypt

The author of “md5crypt” considers it no longer safe for use in password encryption. This affects various *BSD systems, including FreeBSD, since md5crypt was long the default encryption applied to passwords in the system. Now, though, md5crypt is susceptible to brute-force attacks using GPU hardware that makes breaking an 8-character password something that can be done in a couple of days. Some recent security failures around the internet are now attributed to breaking of md5crypt password systems.

To find out if your *BSD system needs to be changed, do the following:

grep passwd_format /etc/login.conf

If the line returned by that includes “md5”, you have a problem. (If it says “des”, you’ve had a big problem for a long time.)

If you have a problem, do the following:

su vi /etc/login.conf

Change “md5” to one of the newer encryption methods, like SHA (sha256 or sha512) or Blowfish (blf).


cap_mkdb /etc/login.conf


Then change at least the root password and the password for everyone in “wheel” group. New passwords and changed passwords will be stored with the new default encryption. You can verify this by looking at the password hashes in /etc/master.passwd.

Wesley R. Elsberry

Falconer. Interdisciplinary researcher: biology and computer science. Photographer. Husband. Christian. Activist.