How to set up SHA-3 hashing for my passwords?



Today I was looking the best hashing algorithm and I found that SHA-3 seems the best one. I try to edit the file "/etc/pam.d/common-password" (in Debian) for use SHA-3 instead of sha512, i look into the pam_unix documentation but there are not any option for set up SHA-3 (only sha512, blowfish md5, etc).
My question is, how I can use sha-3 (keccak) algorithm for have a better password security?
Someone have more information about it?

Last edited:

Honestly, sticking with SHA512 would be better. There is no real benefit to using SHA3 instead. Now, using SHA1 is flawed for sure. What you might want to take a look at is PAM and which versions of the hashing algorithms it supports. (which you already did. ;)) But which algorithms are supported but not enabled on a default Debian installation.

I know of no Linux distro that supports SHA3 hasing for passwords. The current standard seems to be MD5 though some distributions are moving to SHA512. Perhaps building PAM from source would allow you to enable SHA3 support.

hash functions like MD5 or SHA- are not actually supposed to be used for storing passwords. They’re designed to be as fast as possible while still having a low risk of collisions and a high minimum distance for small differences in inputs.
And that is exactly not what people want when it comes to storing passwords, those functions should be vastly slower.
There are a variety of password storage functions, for example bcrypt or PBKDF2- (which is actually a key derivation algorithm, but that’s nearly the same thing anyway – same goals, similiar usage).
I read some things about hashing algorithms (like
) and seems better. Someday I'll try to build PAM from source and add SHA-3.

I hoped that there will be some patch to do it easily, well, thank you very much for the answer.
I'm not sure what you mean by better password security. Using a different hash isn't really going to make brute forcing that much harder.

Perhaps it may be more secure if they got a copy of your shadow file, and they were trying to break the passwords, but if someone got a copy of your shadow file, I think you have bigger security problems than how hard your hashes are to break.

If you really want to do it, it sounds like a compile time option so you may be able to do a deb source on pam, set the flag, recompile, and install. However you will need to do this for every update, and if someone runs an upgrade you could overwrite pam with a copy that doesn't understand your hashes which would lock you out. Personally, I'd just wait for out of the box support.
Possibly I will wait an official upgrade, but till the moment I think that is interesting try to do it oneself if there are not alternatives.

Obviously is more important protect the shadow file, but I had this doubt. Thank you.
Actually, simple salted and crypt(3)ed hash is not very secure against brute force. Really secure password hashers are things like argon2, bcrypt, or pbkdf2. I wonder if there is a way to use one of them with PAM, especially argon2 (it's currently considered to be the best password hash algorithm ever).

Correction: I was incorrect. Currently-default sha-crypt is actually very similar to bcrypt and has configurable number of iterations. However, argon2 is way more RAM-intensive and otherwise can't be broken as easily with GPUs and ASICs.
Last edited:

Members online