Follow

OMG, why can't we have nice things. Just found out that passwords in /etc/shadow are hashed using SHA-512 by default (which is the least bad option ...) but only 5000 rounds by default (not that more rounds would make it significantly more resistant against brute force in any case).

Key takeaway: Consider your /etc/shadow to be containing essentially plain text passwords.

-> Don't reuse Linux login passwords for anything else
-> Encrypt your system partition (and be sure to configure a sensible key derivation function when setting it up using cryptsetup, I don't think they use sensible defaults yet. In other words: Tell cryptsetup to use Argon2id and optimise --iter-time and --pbkdf-* to be as slow and memory consuming as acceptable)

Sign in to participate in the conversation
mastodon.cloud

Generalistic and moderated instance.