Skip to content

Set Password Hashing Algorithm in /etc/login.defs

An XCCDF Rule

Description

In /etc/login.defs, add or correct the following line to ensure the system will use as the hashing algorithm:

ENCRYPT_METHOD 

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

ID
xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow-utils; then

var_password_hashing_algorithm='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" use="legacy"/>'

# Strip any search characters in the key arg so that the key can be replaced without

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90590-1
  - CJIS-5.6.2.2