5.4.1.1 Ensure password hashing algorithm is SHA-512

Information

Login passwords are hashed and stored in the /etc/shadow file.

Note:

These changes only apply to accounts configured on the local system.

The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.

Solution

Edit the /etc/login.defs file and modify ENCRYPT_METHOD to SHA512 :

ENCRYPT_METHOD sha512

Notes:

-

Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems

-

If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login, In accordance with local site policies

-

To accomplish this, the following command can be used

# awk -F: '( $3<'"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' &amp;&amp; $1 != "nfsnobody" ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 46518aea0e8d14891b4134dd42187507ed42beb32d45f3ef27c6e38a3ba63eda