This is a overview of the most popular command line crypto hash generation tools available on the linux platform, especially gentoo. There are probably much more tools for that purpose, but these are used here. It was hard to find a tool that generates blowfish hashes out of the box. There are hardly tools for that, one of the most popular tools is shipped with the apache2 server. If you find additonal toold especially for bcrypt, write me an email, I'll update the list.

These tools work Out of the box.

htpasswd

The one and only linux tool that generates Blowfish hash out of the box after the installation. httppasswd generates $2y prefixed Blowfish hashes. The prefix is not interesting in sense of encryption. Every implementation works the same, if done correctly. The prefix is to distinguish between bugged and fixed hashes among already created. Apache specific and related to the used implementation. If you sight a different prefix, it is related to its implementation on a specific platform or version of the software used.

user % htpasswd -h

Usage: htpasswd [-cimBdpsDv] [-C cost] passwordfile username htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password htpasswd -n[imBdps] [-C cost] username htpasswd -nb[mBdps] [-C cost] username password -c Create a new file. -n Don't update file; display results on stdout. -b Use the password from the command line rather than prompting for it. -i Read password from stdin without verification (for script usage). -m Force MD5 encryption of the password (default). -B Force bcrypt encryption of the password (very secure). -C Set the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17). -d Force CRYPT encryption of the password (8 chars max, insecure). -s Force SHA encryption of the password (insecure). -p Do not encrypt the password (plaintext, insecure). -D Delete the specified user. -v Verify password for the specified user. On other systems than Windows and NetWare the '-p' flag will probably not work. The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

13 rounds is now the default set in the templates of the linux distribution used here (gentoo). Here a example how to generate a hash, with -cost of 15, sometimes referred as rounds:

user@host % htpasswd -bnBC 15 "" password | tr -d ':\n'
$2y$15$38yZWnqA5TklswRQfMzFUeyq/S4jc2ZEpB3.8Kq.M0HBL1zERFEZW%

Testing authentication with 15 rounds. Test it, there is no silver bullet for every hardware platform (CPU). Using rounds is a thing of give and take, the question here is, how long can the user wait for a successful authentication. The authentication delay using 15 rounds is already long. This is the reason for using cost 10 in the netlabs. This example has already a very noticeable delay during authentication. -cost 15 is expensive. Try it out creating a local test user, and replacing the standard SHA-512 to Blowfish hash generated with that cost. Then authenticate using SSH on localhost for a test.

mkpasswd

mkpasswd has the libcrypt standard hashes included:

user % mkpasswd --method --help

Available methods: sha512crypt SHA-512 sha256crypt SHA-256 md5crypt MD5 descrypt standard 56 bit DES-based crypt(3)

Bcrypt is missing from that list.

SHA-512

user % mkpasswd -m=sha512crypt -s

3DES

DES or 3DES, the is the question, not sure which one is created, I hope 3DES:

user % mkpasswd -s

OpenSSL

OpenSSL has the same amount of amount of crypto hashes like mkpasswd, and includes some extra options either for the architecture or the software used:

user % openssl passwd --help

Usage: passwd [options]   General options: -help Display this summary   Input options: -in infile Read passwords from file -noverify Never verify when reading password from terminal -stdin Read passwords from stdin   Output options: -quiet No warnings -table Format output as table -reverse Switch table columns   Cryptographic options: -salt val Use provided salt -6 SHA512-based password algorithm -5 SHA256-based password algorithm -apr1 MD5-based password algorithm, Apache variant -1 MD5-based password algorithm -aixmd5 AIX MD5-based password algorithm   Random state options: -rand val Load the given file(s) into the random number generator -writerand outfile Write random data to the specified file   Provider options: -provider-path val Provider load path (must be before 'provider' argument if required) -provider val Provider to load (can be specified multiple times) -propquery val Property query used when fetching algorithms   Parameters: password Password text to digest (optional)