Good night!
I'm using a chpasswd.cgi to change password via web, the problem is that when I change the password to 123456789 it won't work. I'm migrating a proxy server to a new one, and I have more than 2k of password.
I noticed that the crypt() limits the passwords to 8 digits, and i have some password that goes beyond that. I tried to look into /etc/pam.d/common-password but I think that has nothing to do with what I want.
If your script is inheriting a default hash type, changing ENCRYPT_METHOD in /etc/login.defs may do what you're looking for. Depending on what OS release track you're using, available hash types may include, the following (none are great options in modern times):
MD5 (actually md5crypt) - EOL'd by the authorSHA256 (actually sha256crypt) - work increases with length (bad)SHA512 (actually sha512crypt) - work increases with length (bad)DES (actually descrypt) - truncates at 8 chars; only two-byte saltBut sha256crypt or sha512crypt are probably the "least bad".
For those two, you will also want to increase SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS in the next config section to be as high as your users can stand (usually around the 500ms mark is when they'll start to notice). Keeping those values as a range (instead of the same value) will cause each hash to get a different, randomly distributed work factor within that range. This is a desirable countermeasure against cracking tools that work best (or only work) when all work factors are the same (such as hashcat).