Arch Linux changes default password hashing algorithm

Arch Linux

Arch Linux is a general-purpose Linux distribution aimed at advanced users.

A few days ago it was announced through a publication on the official Arch Linux website, in which the Developers have announced the change in the hashing scheme default password, plus a change has also been made to the umask configuration.

The post mentions that Arch Linu builds nowx they will go from using the SHA512 HASH to using yescrypt.

yescrypt is a new scheme for encrypting passwords and generate cryptographic keys from passwords or passphrases. Yescrypt It is based on scrypt and includes support for classic scrypt, a conservative scrypt modification (called YESCRYPT_WORM) and finally a deep scrypt modification (called YESCRYPT_RW), which is offered as the main one (and is implied by yescrypt from now on).

Among the advantages from Yescrypt, it is mentioned that this expands the capabilities of classic scrypt by supporting the use of memory-intensive schemes and reducing the effectiveness of attacks using GPUs, FPGAs, and specialized chips. Safety by Yescrypt is guaranteed by the use of cryptographic primitives SHA-256, HMAC and PBKDF2 already tested.

Yescrypt is the most scalable password hashing scheme, providing near-optimal security against offline attacks for a wide range of usable memory sizes, from kilobytes to terabytes and beyond. On the other hand, the cost of this is the complexity of yescrypt, and complexity is a disadvantage of any software.

For this reason, yescrypt is currently intended for large deployments (millions of passwords) where the complexity of yescrypt is small compared to the overall complexity of the authentication service. For smaller deployments and program integrations, bcrypt remains a reasonable short-term option for now.

While on the part of the disadvantages of the previously used password hashing scheme based on the algorithm SHA512 include: la need to set sufficiently large salt values ​​(at least 128 bits), susceptibility to DoS attacks by creating parasitic load on the CPU when hashing long passwords, ssusceptibility to a password size attack based on passive analysis of hash processing time, work without using the cryptographic key derivation function (KDF).

Additionally, using yescrypt now stores the umask configuration in the configuration file /etc/login.defs instead of /etc/profile.

About the hash change, It is also mentioned that the Argon2 algorithm, which won the password hashing contest in 2015, too was considered as an option for password hashing, but not used in Arch Linux because it is not supported by the library libxcrypt used in PAM.

Add to this, talking about the improvements in Arch Linux, Also worth noting is the Archinstall 2.6.1 installer update. Archinstall can be used instead of the distribution's default manual installation mode, providing a guided and automated installation mode

In the new version the user now has the ability to configure an arbitrary number of parallel downloads, an option has been added to use ly as a console display manager and also use slick-greeter instead of gtk-greeter in lightdm. The kitty, Dolphin and wofi applications have been added to the profile that makes up the environment based on the Hyprland composite server.

Of others changes that stand out de Archinstall 2.6.1:

  • Fixed crash caused by unsupported partitions
  • Fixed loading desktop profiles from preconfigured settings
  • Fixed GRUB installation issue on MBR devices due to incorrect target device
  • Fixed some bugs in manual partition
  • Fixed custom commands issue
  • Allow assigning mount points on existing partitions
  • Fix UUID acquisition
  • Sort profiles ignoring case

finally if you are interested in knowing more about it, you can check the details in the following link


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.