hash – What is the hash algorithm Does VirtualBox use passwords in its configuration files?

See the source code for vboxmanage internalcommands. The command PasswordHash is mapped to the function CmdGeneratePasswordHash near the bottom of the file. Above the definition of the function, there is an elaborate comment detailing all the properties of the algorithm:

Generate a password hash SHA-256

So it's a hash simple SHA-256. No salt, iteration or hardness of memory. And this is not an encryption, so they do not encrypt your password: they were hating it. But not very good.

SHA-256 itself does not protect your password very well because it is fast to brute force. Only a very strong password is secure and will not be recovered from the configuration file. Therefore, a randomly generated password (stored in a password manager) is recommended. If you do not use a very strong password, consider that the configuration should contain your password in plain text.

To test the theory, the documentation you linked also mentions an example of a hash:


Looking in the hash, we find not only the documentation page, but also the fact that it corresponds to "secret".

While searching for this, I also found a passlib page mentioning virtualbox. I did not know about this project, but it seems like it might be useful for similar questions when you want to know which hash is used by different software.

Note that when generating your password with vboxmanage, your password will be saved in the history of your orders. To avoid this, you can use the following:

$ read -s pwd
$ VBoxManage internalcommands passwordhash "$ pwd"

After the Lily command, with the -s flag to not show the password, you type your password. When you press enter, the prompt returns and you can enter the second command. If you would do echo "$ pwd"you will see that this variable contains your password.

Better yet, generate a password randomly instead of typing it:

pwd = $ (</ dev / urandom tr -dc a-zA-Z0-9 | head -c 16);
echo "Password: $ pwd"
VBoxManage internal commands passwordhash "$ pwd"