For example, rounds=85000 means, your computer must compute 85000 hashes every time you log in. This will impose a restriction that an attacker has to compute 85000 hashes for each password he is trying to compromise against the hash in your /etc/shadow. Therefore the attacker will be delayed by a factor of 85000. Most modern computers will take less that 1 second to compute 85000 hashes. If you do not specify the rounds option, the system will use the default value for the algorithm used.
MD5 - default 4096 rounds , SHA256 or SHA512 - default 5000 rounds. Technically the rounds can be shown as :
for 1 to 85000 do
key = hash(key)
How to specify rounds option for password hashing ?
Red Hat Enterprise Linux (RHEL)
Suse Linux Enterprise Server (SLES)
lpa_module = /usr/lib/security/sblowfish
lpa_options = cost_num=10
Note : In above case, if Blowfish algorithm used, number of rounds is to entered as 2^cost_num. So if you want 1024 ( 2^10 ) rounds , you should specify the setting as BLOWFISH_CRYPT_FILES=10. The valid value of cost_num is an integer between 4 and 31, inclusive. While playing around with this setting, I entered value of cost_num as 31 , and when I tried to change password for root, the process was in progress for more than 4 hours .... I had to finally terminate it. Number of rounds for 2^31 = 2147483648 ( two billion one hundred forty-seven million four hundred eighty-three thousand six hundred forty-eight ). So the password hash will be generated after 2147483648 rounds, which requires more than 6 hours ... Next time the user tries to login to the system, he needs to wait for more than 6 hours for the hash to be computed and then match it with the one stored in /etc/shadow or /etc/passwd file .
Once the password hashing settings are changed, the existing passwords are not automatically re-hashed. In order to enforce this and close the vulnerability gap, you need to force the users to change the password.
Force users to change password on next login:
Once the password is changed, the updated hash in the /etc/shadow or /etc/passwd file will look something like :
The entire process of increasing rounds is known as "Key stretching" - which helps in making a weak password more secure to brute-force attacks, by increasing the time needed to test each key.