Reseting the Hashed Password after enabling Windows File Sharing

Update: I tried the following and need to know if it truly forced OS X back into hashing my password using SHA1.


I logged in as root, opened NetInfo Manager and clicked on "users" in the tri-pane. I then selected the user who had windows file sharing enabled and looked at the properties in the bottom of the window.

There is a property field called "authentication_authority". On accounts that have NEVER had windows file sharing enabled, this property's value reads: ";ShadowHash;" (minus the quotes). On the account that DID have windows file sharing enabled, the property was ";ShadowHash; [plus a bunch of stuff here that I deleted]".

After I deleted the "extra" part of that value and then logged out of root and logged back in as the account which used to have Windows File Sharing enabled, I went to the Accounts preference panel and tried to enable windows sharing. I got the warning that "this requires your password to be stored in a less secure manner." Previously, I did not get that warning; it just turned on windows file sharing.

So, either OS X is now back to using SHA1 to hash my user password, or I just "reset" the warning dialog and my password is really still hashed using LANMAN.

Can anyone out there tell me which it is?

-Bryan

Thanks biovizier. You're absolutely right, deleting the extra text after ";shadowHash;" and then reseting the password for the user's account does seem to force OS X to rehash the password using SHA1.

Just in case someone else has this question in the future, here's how to verify that your password is hashed in SHA1:

Log in as Root and open the /private/var/db/shadow/hash folder. You'll see files with long, weird names. You'll also see an XML file (with the extension *.state) for each of the files with long, weird names. The XML file contains several tags that tell OS X information about the hashed password - things like when it last logged on, when it was created, how many times login failed, etc.

We're interested in the other files - the ones that don't end in ".state"

To verify that SHA1 is being used, open the long, weird files in textedit. You should see something like this:

000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000

There should be a few more zeros; I've cut some out here to save space.

What should NOT exist, is the following:

57Y083D243109VGR45Z4B65812R8M087H65HJ8OK95T89L8JHL9000000000
000000000000000000000000000000000000000000000000000000000000
0000000059G31HJ75BR54210P07Y57BC57094D643H78K8765L98C6X00000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000

The second Hashed value does not start with zeros. This hash value is not SHA1. It is the less secure encryption method required for compatability with Windows.

If your hash file opens with zeros, you're using SHA1. Otherwise, follow Biovizier's procedure: Open NetInfo, select the user account whose password needs to be changed back to SHA1, look at the "authentication_authority" value, make sure the value is set to ;ShadowHash; and that no additional text follows that string, then reset the affected account's password. You can then log back in as root and re-check the hash files using textedit and you should find that the hash file opens with solid zeros instead of letters and numbers.

Do NOT manually edit the hash files in textedit. One of those files is the hash for the Root password. If you change that hash file, your root password will no longer work (because when you type MYPASSWORD, OS X will hash that string and find that the hashed value no longer matches the stored hash value in /private/var/db/shadow/hash and OS X will therefore reject your password as incorrect) and you will quickly find yourself locked out of your computer for good.

And finally, just in case you have the computing power of the NSA and are thinking about running the hashes I've listed here: A) They aren't the right length; I've left some characters out and B) I randomly substituted different alphanumerics in for the ones in my real hashes with no rhyme or reason.

Which brings me to another point: NEVER post your hashes online. Yes, it takes a TON of computing power to break them, but still, they're hidden away for a reason!

Anyway, I hope this helps other security buffs out there.

I'm going to make a suggestion to Apple that OS 10.5 be changed so that when you unclick "windows file sharing" the OS immediately rehashes your password in SHA1 again.


-Bryan