Set Password Hashing Algorithm in /etc/login.defs

Docs > Datadog Security > OOTB Rules > Set Password Hashing Algorithm in /etc/login.defs

Classification:

compliance

Framework:

Control:

Description

In /etc/login.defs, add or correct the following line to ensure the system will use yescrypt as the hashing algorithm:

ENCRYPT_METHOD yescrypt

Rationale

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.

Using a stronger hashing algorithm makes password cracking attacks more difficult.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then

var\_password\_hashing\_algorithm='yescrypt'


if grep --silent ^ENCRYPT\_METHOD /etc/login.defs ; then
 sed -i "s/^ENCRYPT\_METHOD .\*/ENCRYPT\_METHOD $var\_password\_hashing\_algorithm/g" /etc/login.defs
else
 echo "" >> /etc/login.defs
 echo "ENCRYPT\_METHOD $var\_password\_hashing\_algorithm" >> /etc/login.defs
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi