Password hash new policy

I’m on a manjaro unstable branch and I’ve received a new libxcrypt’s version.
I guess that related to this news
https://archlinux.org/news/sorting-out-old-password-hashes/

So I think that the reason why the OS asked me to change my password.
I’ve seen that the hash algorythm was updated to sha512 for this password (generated from install script) but I wonder how to set or enforce it to a specific one ? I guess that minimal requirement is set during compilation but I couldn’t find any webpage that explain how to choose it during usage. I would be able to try yescrypt preferably or bcrypt.

Correct.

Also correct. If you used the Manjaro ARM Installer this update will ask you to change your password.
The password can be the same, it’s just to update the hashing algorythm it uses.

passwd in Arch has used sha512 for a while now. The ARM Installer sadly hasn’t, but it’s fixed in 1.4.2 of the installer.

1 Like

Can we test other hash algorythm with it ? Do WE have to compile it with other arguments ?

I think you would need to compile it with other arguments. I don’t see any options in the man page for passwd to change it at use-time.

With your response, I’ve seen that sha512 is here since ~10 years (26 Nov 2011
) : hash passwords with sha512 by default · archlinux/svntogit-packages@5628987 · GitHub

And it needs to be recompiled to enable new algorythm.

I’ve seen news from Fedora which says that they think to change hash for passwd : Fedora 35 Looking To Use Yescrypt For Hashing User Passwords - Phoronix
And I wonder what was settings for arch/manjaro… I guess that now we have answers. :wink:

In the article, but I couldn’t verify, they said that

Besides Fedora, ALT Linux, Debian Testing, and Kali Linux are among other distributions already making use of Yescrypt.

Shadow repo already support yescript since Feb 1st, 2021 : Add yescrypt support · shadow-maint/shadow@5cd04d0 · GitHub

I hope Archlinux will also think to move.

plasma update to 5.22, password fail to login.
had follow arch way, If the login just fails (for example from display manager) switch to a virtual terminal (Ctrl-Alt-F2 ) and log in there once.

plasma password login fail, no one?