Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#15913 - [shadow] Change default pw encryption to sha512

Attached to Project: Arch Linux
Opened by Gerhard Brauer (GerBra) - Wednesday, 12 August 2009, 08:25 GMT
Last edited by Aaron Griffin (phrakture) - Monday, 17 August 2009, 20:15 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Aaron Griffin (phrakture)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


By default we currently use md5/DES encrypted user and group passwords. IMHO it is safer against brute-forcing to switch to sha512 as a default.
We should change this on our defaults only, and maybe give a note to the user how and why he should switch this also on his installed system.

To change the defaults (for new users and user passwd changes) these files have to be modified:

a) /etc/pam.d/passwd
-password required md5 shadow nullok
+password required sha512 shadow nullok

b) /etc/login.defs
Add a entry:

c) /etc/default/passwd
This file should be revisit. According to man-page of passwd there are maybe some VARs that don't have an affect anymore.
According to manpage this is now also ENCRYPT_METHOD for passwd
Same here, man gpasswd refered also only to ENCRYPT_METHOD
I'm not sure if the other settigs in this file still have any affect on current program versions...
I saw no negative effect when i added: ENCRYPT_METHOD sha512 also to this file (and disabled CRYPT=)

To take encrypt method switching to work the users have to change their passwords
with passwd. After that you could see the better encryption hash in /etc/shadow.

This task depends upon

Closed by  Aaron Griffin (phrakture)
Monday, 17 August 2009, 20:15 GMT
Reason for closing:  Duplicate
Additional comments about closing:   FS#13591 
Comment by Thomas Dziedzic (tomd123) - Wednesday, 12 August 2009, 14:43 GMT
If we were to switch, I think we should take note from OpenBSD and use blowfish. (OpenBSD uses blowfish by default for system passwords.)
Comment by Gerardo Exequiel Pozzi (djgera) - Thursday, 13 August 2009, 01:46 GMT
There is already feature request for this:  FS#13591  : [pam] Use sha512 hash for passwords for improve local security