On 2023-09-19 09:43:17 (+0200), David Runge wrote: I have been asked by Kristian Klausen (offlist) to add information on the motivation for using yescrypt as new default. I propose this update:
> ```markdown > With shadow >= `4.14.0`, Arch Linux's default password hashing algorithm > changed from `SHA512` to [yescrypt](https://www.openwall.com/yescrypt/) and > [PAM](https://wiki.archlinux.org/title/PAM) honors the chosen > `ENCRYPT_METHOD` in /etc/login.defs. The password-based key derivation function (KDF) and password hashing scheme `yescrypt` has been chosen due to its adoption (readily available in *libxcrypt*) and its stronger resilience towards password cracking attempts over `SHA512`. Although the winner of the [Password Hashing Competition](https://www.password-hashing.net/) has been `argon2`, this even more resilient algorithm is [not yet available in libxcrypt](https://github.com/besser82/libxcrypt/pull/150). > While this should not require any direct user intervention, do note that > since we now fully integrate with PAM the `YESCRYPT_COST_FACTOR` setting in > `/etc/login.defs` is currently without effect, until [PAM implements reading > its value](https://github.com/linux-pam/linux-pam/issues/607). > If a `YESCRYPT_COST_FACTOR` higher (or lower) than the default (`5`) is > needed, it can be set using the `rounds` option of the > [pam_unix](https://man.archlinux.org/man/pam_unix.8) module (i.e. in > /etc/pam.d/system-auth). > > Furthermore, additional changes in the filesystem (>= `2023.09.18`) and > pambase (>= `20230918`) packages now ensure > [umask](https://man.archlinux.org/man/umask.1p) being set centrally in > /etc/login.defs instead of /etc/profile. > ``` Best, David -- https://sleepmap.de
signature.asc
Description: PGP signature
