Skip to main content

Enforcing SHA-2 on administrator account passwords

MD5 is less secure than SHA-2. By default, account passwords by default are hashed with the SHA-512 hash function.

The password hash functionality enables you to do the following:

  • Display user accounts that match the specified hash function.
  • Expire accounts that use a specified hash function (for example, MD5), forcing the users to change their passwords in their next login.
  • Lock accounts whose passwords use the specified hash function.

ONTAP accepts pre-hashed SHA-2 passwords only by using the Manageability SDK (security-login-create and security-login-modify-password).

  1. Migrate the MD5 administrator accounts to the SHA-512 password hash function:
    1. Expire all MD5 administrator accounts: security login expire-password -vserver * -username * -hash-function md5
      Doing so forces MD5 account users to change their passwords upon next login.
    2. Ask users of MD5 accounts to log in through a console or SSH session.
      The system detects that the accounts are expired and prompts users to change their passwords. SHA-512 is used by default for the changed passwords.
  2. Optional: For MD5 accounts whose users do not log in to change their passwords within a period of time, force the account migration:
    1. Lock accounts that still use the MD5 hash function (advanced privilege level): security login expire-password -vserver * -username * -hash-function md5 -lock-after integer
      After the number of days specified by -lock-after, users cannot access their MD5 accounts.
    2. Unlock the accounts when the users are ready to change their passwords: security login unlock -vserver vserver_name -username user_name
    3. Have users log in to their accounts through a console or SSH session and change their passwords when the system prompts them to do so.