4.5.1.1 Ensure strong password hashing algorithm is configured

Information

A cryptographic hash function converts an arbitrary-length input into a fixed length output. Password hashing performs a one-way transformation of a password, turning the password into another string, called the hashed password.

The SHA-512 and yescrypt algorithms provide a stronger hash than other algorithms used by Linux for password hash generation. A stronger hash provides additional protection to the system by increasing the level of effort needed for an attacker to successfully determine local user passwords.

Note: These changes only apply to the local system.

Solution

Note: If yescrypt becomes available in a future release, this would also be acceptable. It is highly recommended that the chosen hashing algorithm is consistent across /etc/libuser.conf /etc/login.defs /etc/pam.d/password-auth and /etc/pam.d/system-auth

Set password hashing algorithm to sha512.

Edit /etc/libuser.conf and edit or add the following line:

crypt_style = sha512

Edit /etc/login.defs and edit or add the following line:

ENCRYPT_METHOD SHA512

Note: This only effects local users and passwords created after updating the files to use sha512 or yescrypt If it is determined that the password algorithm being used is not sha512 or yescrypt once it is changed, it is recommended that all group passwords be updated to use the stronger hashing algorithm.

See Also

https://workbench.cisecurity.org/benchmarks/15964

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 608c9c816fe983a2308eb37fdc588e2be4ebdb48af9ffecc17e647d1ba7117a5