diff --git a/account/newuser.in b/account/newuser.in
index 4cce49099c13592d70eec6496d379b99450e00a2..2701c8453a1f9347834c35fbd41455e45372b425 100644
--- a/account/newuser.in
+++ b/account/newuser.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2014 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -87,6 +87,7 @@ use libdb;
 use libtestbed;
 use User;
 use EmulabConstants();
+use emutil;
 
 # Protos
 sub fatal($);
@@ -360,7 +361,7 @@ else {
 	}
 	fatal("Checkpass failed with $?");
     }
-    $newuser_args{'usr_pswd'} = crypt($pswd, "\$1\$" . substr(time(), 0, 8));
+    $newuser_args{'usr_pswd'} = PassWordHash($pswd);    
 }
 
 #
diff --git a/db/User.pm.in b/db/User.pm.in
index 460a268c9be897789bb81430cd6da5ff053ebdec..568c448f28893d0e300e40e0ec1b21a4ee9cdcca 100644
--- a/db/User.pm.in
+++ b/db/User.pm.in
@@ -876,18 +876,17 @@ sub ModUserInfo($$$$)
 	#
 	# Compare. Must change it!
 	# 
-	if ($old_encoding eq $new_encoding) {
+	if (!$isadmin && $old_encoding eq $new_encoding) {
 	    $$usrerr_ref = "Error: " .
 		"New password same as old password";
 	    return undef;
 	}
 
 	#
-	# Do it again. This ensures we use the current algorithm, not whatever
-	# it was encoded with last time.
-	# XXX Perl crypt doesn't have this option!
-	# XXX $new_encoding  = crypt($argref->{"password1"});
-
+	# Do it again. This ensures we use the current algorithm with a
+	# new random salt, not whatever it was encoded with last time.
+	#
+	$new_encoding = PassWordHash($argref->{"password1"});
 	my $safe_encoding = escapeshellarg($new_encoding);
 
 	#
diff --git a/db/emutil.pm.in b/db/emutil.pm.in
index c52b1dcbf1996499244c6ce72e6cf3f0d7991058..33bb528ec52ac1516112de7f09e1aa7514c2344c 100644
--- a/db/emutil.pm.in
+++ b/db/emutil.pm.in
@@ -718,11 +718,19 @@ sub BackTraceOnWarning($)
 sub PassWordHash($)
 {
     my ($password) = @_;
-    
-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    my $passhash = crypt($password, "\$1\$${salt}");
+    # Leave these here cause of SELFLOADER_DATA;
+    my $MAINSITE   = @TBMAINSITE@;
+    my $ELABINELAB = @ELABINELAB@;
+    my $salt;
+    require libtestbed;
+
+    if ($MAINSITE || $ELABINELAB) {
+	$salt = "\$5\$" . substr(libtestbed::TBGenSecretKey(), 0, 16) . "\$";
+    }
+    else {
+	$salt = "\$1\$" . substr(libtestbed::TBGenSecretKey(), 0, 8) . "\$";
+    }
+    my $passhash = crypt($password, $salt);
 
     return $passhash;
 }
diff --git a/tbsetup/libtestbed.pm.in b/tbsetup/libtestbed.pm.in
index 8fd11ed6250101a35608b596351c58a0bb617c5a..6b33b3889f98abc8afc0f304e60cf88b8a6e0534 100644
--- a/tbsetup/libtestbed.pm.in
+++ b/tbsetup/libtestbed.pm.in
@@ -457,7 +457,10 @@ sub TBGenSecretKey()
     my $key=`/bin/dd if=/dev/urandom count=128 bs=1 2> /dev/null | /sbin/md5`;
     return undef
 	if ($?);
-    chomp($key);
+    # Silly taint check for caller.
+    if ($key =~ /^(.*)$/) {
+	$key = $1;
+    }
     return $key;
 }
 
diff --git a/utils/firstuser.in b/utils/firstuser.in
index d2a34febef6807d18cf401bfe55f14646b82328e..41f42d6ccfa5472db626072485090976e2c416a8 100755
--- a/utils/firstuser.in
+++ b/utils/firstuser.in
@@ -1,6 +1,6 @@
 #!/usr/bin/perl -w
 #
-# Copyright (c) 2000-2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2012, 2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -32,6 +32,7 @@ use lib '@prefix@/lib';
 use libdb;
 use libtestbed;
 use User;
+use emutil;
 
 my $tbadmin    = '@TBADMINGROUP@';
 my $ELABINELAB = @ELABINELAB@;
@@ -128,10 +129,7 @@ if (!defined($password)) {
     }
 }
 if (!defined($encpass)) {
-    my @salt_chars = ('a'..'z','A'..'Z','0'..'9');
-    my $salt = $salt_chars[rand(@salt_chars)] .
-	       $salt_chars[rand(@salt_chars)];
-    $encpass = crypt($password, "\$1\$${salt}");
+    $encpass = PassWordHash($password);
 }
 
 # Get uid for the user and a gid for the project
diff --git a/www/aptui/changepswd.php b/www/aptui/changepswd.php
index 59a69d88b5599e968807cdf3ac5b06898ae41657..818684ea0f84f57a92e55273cd0415121aa8e674 100644
--- a/www/aptui/changepswd.php
+++ b/www/aptui/changepswd.php
@@ -213,7 +213,13 @@ if (count($errors)) {
     SPITFORM($password1, $password2, $errors);
     return;
 }
-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);
 
 #
diff --git a/www/chpasswd.php3 b/www/chpasswd.php3
index c5dfa91aa91fd9100c5a336aa74f0a71c3a1f843..bf330fc8570fab9e7c7f15ec3cb47d60b2411a1d 100644
--- a/www/chpasswd.php3
+++ b/www/chpasswd.php3
@@ -1,6 +1,6 @@
 <?php
 #
-# Copyright (c) 2000-2007, 2012 University of Utah and the Flux Group.
+# Copyright (c) 2000-2015 University of Utah and the Flux Group.
 # 
 # {{{EMULAB-LICENSE
 # 
@@ -212,7 +212,13 @@ setcookie($TBAUTHCOOKIE, "", time() - 1000000, "/", $TBAUTHDOMAIN, 0);
 # Okay to spit this now that the cookie has been sent (cleared).
 PAGEHEADER("Reset Your Password", $view);
 
-$encoding = crypt("$password1");
+if ($TBMAINSITE || $ELABINELAB) {
+    $salt = "\$5\$" . substr(GENHASH(), 0, 16) . "\$";
+}
+else {
+    $salt = "\$1\$" . substr(GENHASH(), 0, 8) . "\$";
+}
+$encoding = crypt("$password1", $salt);
 $safe_encoding = escapeshellarg($encoding);
 
 STARTBUSY("Resetting your password");