Sandfly Blog

Obsolete password hashes on Linux represent a threat for user credentials and lateral movement. An old or weak password hash generally means:

• The user's password is easily brute forced if stolen using modern CPU and GPU hardware.
• The system is old and may have other problems lurking beneath as it's not being maintained.
• The user's account may have been moved onto a modern system, but the password has not been changed or updated in years to use the newer more secure algorithms.

In this video we discuss this threat and how Sandfly can agentlessly and rapidly identify user accounts vulnerable to this attack. 

The Risk of Old Password Hashes on Linux

On Linux systems, passwords aren’t stored in plain text. When you enter a password, it’s processed through a cryptographic algorithm that converts it into a hash—a scrambled string stored in the /etc/shadow file. This ensures that even if an attacker steals the file, they can’t immediately see the passwords. To uncover the original password, they must reverse-engineer the hash, typically through a brute-force attack, guessing millions of combinations until they succeed. This protection hinges on the hashing algorithm’s strength. Older algorithms, like MD5, were once secure but are now vulnerable due to faster CPUs and GPUs. Modern hardware can attempt billions of guesses per second, making it easy to crack these outdated hashes—especially if users choose weak passwords.

The Risks of Obsolete Hashes

Legacy hashes, such as MD5, are a major security liability. Unlike modern algorithms like yescrypt, which are deliberately slow and resistant to brute-force attacks, MD5 can be cracked quickly with today’s technology. This vulnerability becomes even more dangerous when paired with poor passwords, which is very common.

Obsolete Hashes Mean Problems

Beyond the immediate threat of cracking, old password hashes often indicate deeper issues. Old hashes are typically found on legacy systems that may not be patched or updated. These systems are more likely to have other vulnerabilities—unpatched software, misconfigurations, or weak security settings—that attackers can exploit to gain a foothold. Once inside, they can steal the hashes, crack them, and use the passwords for lateral movement across the network.

Even on modern systems, an obsolete hash might suggest an old user account migrated from a legacy setup, with a password unchanged for years. If that password was compromised elsewhere, attackers could instantly access the current system.

Spotting and Fixing Weak Hashes

To identify obsolete hashes, check the /etc/shadow file. Each user’s hash begins with a prefix indicating the algorithm. Common algorithms on Linux systems include:

• $1$: MD5 (obsolete, insecure)
• $5$ or $6$: SHA-256 or SHA-512 (stronger than MD5, but not as robust as yescrypt below)
• $y$: Yescrypt (modern, secure)

In the demo above, one user has a $y$ prefix (yescrypt), while another hash starts with $1$ (MD5)—a clear red flag. Here’s how to address the problem:

1. Audit for Old Hashes: Use tools like Sandfly Security to find these risks automatically, or manually inspect /etc/shadow to find users with outdated hashes.
2. Force Password Updates: Require users with obsolete hashes to change their passwords. This automatically updates the hash to the system’s current, secure default (e.g., yescrypt).
3. Review Legacy Systems: If old hashes are tied to outdated systems, patch or decommission them to eliminate vulnerabilities.
4. Strengthen Password Policies: Find weak passwords with Sandfly's agentless password auditor and enforce complexity or longer length requirements.

Why It’s Critical

Outdated hashes aren’t just a technical footnote—they’re a gateway for attackers. Once cracked, they provide credentials that can unlock further access, especially in environments with poor account management. Weak hashes often correlate with broader neglect, like unpatched systems or forgotten accounts, making them a high-priority fix. For enterprises, the stakes are even higher. A single cracked password can lead to widespread breaches, data loss, or ransomware. By eliminating obsolete hashes, you shrink your attack surface and bolster your Linux security posture.

Old password hashes are a liability you can’t ignore. Whether they point to legacy systems or neglected accounts, they’re a weak link that attackers can exploit with ease. Regularly audit your systems, update passwords to modern algorithms like yescrypt, and address any underlying issues they reveal. For more Linux security tips, check out Sandfly Security’s video series. Taking these steps today could prevent a costly breach tomorrow.

Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.