How to re-hash your /etc/shadow / login passwords with a newer algorithm (like YesCrypt)?

Given recent incidents, where password hashes may be exposed…

I read, that Fedora 37 switched to YesCrypt a long time ago.

It’s also written there how to check, what your password is hashed with. It might e.g. yield this:

$ sudo cat /etc/shadow|grep $USERNAME 

So, now…, this is obviously not YesCrypt ($y$), so how do I fix this. Specifically, let’s do it step by step:

  1. How to find out what $6$ strands for, i.e. what password hash algorithm is currently used? (I tried man shadow, but that resulted in something wildly unrelated.)
  2. More important, how to actually upgrade?
  3. The f37 change there, said “rehashing the current password silently is no problem for them, though”, so why was my password not re-hashed or do I read the wiki page wrong and this part was not actually agreed upon?

My system has gone through quite some upgrade hooks, but currently it is now Fedora Silverblue 39 (39.20240325.0).


Added security and removed kinoite

I would just type passwd and type in the password you want to use. You can type the same password in as before. After you are done it should be $y$ in /etc/shadow.


This is sha512crypt. Those prefixes and their meanings are listed in crypt(5) man page.

1 Like

Unfortunately, that does not actually work, because passwd actually seems to check whether the password is the same as the old one… (in this use case, that is actually fine) :sweat_smile:

$ passwd                 
Changing password for user […].
Current password: 
New password: 
BAD PASSWORD: The password is the same as the old one
passwd: Authentication token manipulation error

Obviously changing it to a temporary password in between may help, but it’s risky, you know, if you forget the temporary password… and cumbersome. :wink:
I also did not found an option to ignore this, but apparently, it is ignored for root, so you can just run:

$ sudo passwd $USERNAME       
Changing password for user […].
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

Attention: Do not forget $USERNAME, as otherwise the password of root is changed! (Check what the first line says, whose username is changed.)

1 Like