Systems installed by Thus (before v0.9.5.2) and Calamares (before v126.96.36.199) have a weaker password hash, than they should. This weakness is only important, if an attacker has a way of obtaining the password hash. The Manjaro and Calamares teams believe, that installed systems should be as secure as possible and therefore consider this weakness important.
Users are advised, to reset their password on installed systems by using the password utility, which will provide a stronger password hash. This applies to all user accounts created during the installation of the system, by either of those installers: the user's own account and to the root account, if the root account has a password.
During system installation, Thus or Calamares creates a regular user -- for example, "bob" -- and sets the password for that user. Often, Thus or Calamares also sets a password for the root user.
When setting the password, Thus or Calamares uses a predictable "salt". This means, that an attacker knows the salt for user "bob", and also for user "root". If the attacker can obtain the password hash -- usually stored in /etc/shadow -- then the knowledge of the salt can help the attacker prepare for a password cracking attempt.
This weakness does not weaken the password security for logins on a single system. It does weaken the password if an attacker can obtain the password hash through some other means.
The predictable salt also means that passwords on different machines may be hashed with the same salt. This means that all root accounts installed by Thus (before v0.9.5.2) and Calamares (before v188.8.131.52) share the same salt and that an attacker who can obtain
/etc/shadow from many installed machines can use the predictable salt to build a rainbow table for root in advance.
Users added to the system after installation do not have this password weakness.
Users whose password has been changed with passwd do not have this password weakness.
Users are advised to reset their password on installed systems by using passwd:
Changing password for user.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
When changing the password, the installed Linux system generates a new, random, salt for the password hash and the password is no longer affected by this weakness. Users may also want to reset the root password on the system if it is vulnerable, with
Existing DVDs, USB sticks, etc. with Thus (before v0.9.5.2) and Calamares (before v184.108.40.206) as system installer will continue to be vulnerable to this password weakness. Since Thus or Calamares are system installers, they are usually not available on the installed system, and therefore it is not necessary to update Thus or Calamares on any installed system.
Beginning with Manjaro v17.0.2-rc3 we are using Calamares v220.127.116.11 or higher, which no longer creates user password hashes with a predictable salt.
Thanks to Bart Haan for finding the original password weakness and Philip Müller for extensive testing in Manjaro.
It is general good to read our Security Mailing List on regular basis. In this case, please read our MSAs this particular topic: [MSA-201706-01], [MSA-201706-02]