Skip to content

5.4.1.4 Ensure strong password hashing algorithm is configured

Audit#

Run the following command to verify the hashing algorithm is sha512 or yescrypt in /etc/login.defs: 

# grep -Pi -- '^\h*ENCRYPT_METHOD\h+(SHA512|yescrypt)\b' /etc/login.defs

Example output: 

ENCRYPT_METHOD SHA512
- OR -
ENCRYPT_METHOD YESCRYPT

Remediation#

Edit /etc/login.defs and set the ENCRYPT_METHOD to SHA512 or YESCRYPT: Example: 

ENCRYPT_METHOD <HASHING_ALGORITHM>

Example: 

ENCRYPT_METHOD YESCRYPT

Note: - This only effects local groups' passwords created after updating the file to use sha512 or yescrypt. - If it is determined that the password algorithm being used is not sha512 or yescrypt, once it is changed, it is recommended that all group passwords be updated to use the stronger hashing algorithm. - It is recommended that the chosen hashing algorithm is consistent across /etc/login.defs and the PAM configuration

Default Value: ENCRYPT_METHOD SHA512