id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
2814	Use SHA-512 instead of MD5 for password encrypting	willimm	Matthew Burgess	"See the thread starting with:

http://linuxfromscratch.org/pipermail/lfs-dev/2010-December/064462.html

Short summary: MD5 is known for a while to be cryptographically weak (even through it's stronger than DES), and the attacks going around dosen't make me feel comfy with using MD5 for passwords.

The Goverment of the United States recommends that MD5 should be ditched and replaced with SHA-2. Now, as SHA-2 was added to Glibc in version 2.7, we could of done this a while ago if the word came out sooner. But, let's face it, MD5 is weak.

The change is easy: In the Shadow instructions (in both LFS and BLFS), just simply replace the sed for MD5 with a sed for this:

{{{
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
        -e 's@/var/spool/mail@/var/mail@' etc/login.defs
}}}

And that's really it, as the PAM configuration is arleady using SHA-512.

Marking this as critical because, while I'd like to see this done soon, it's not excatly a deal breaker. Still very important, through."	task	closed	normal	6.8	Book	SVN	critical	fixed	sha-512 shadow md5 is very weak