MD5 is chosen as the default password hash
Bug #290361 reported by
Aaron Toponce
This bug report is a duplicate of:
Bug #51551: newusers, liboobs uses crypt insted of md5, intrepid installer doesn't use sha512.
Edit
Remove
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| debian-installer (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
MD5 is chosen as the default password hash in Ubuntu 8.10, when a much stronger SHA512 is supported.
After install, the user can run the 'passwd' command to update his password, then by default, /etc/shadow is updated to the SHA512 algorithm, but before this point, passwords from the installer are stored as MD5. Why isn't the algorithm supported in the installer? How likely is the user going to change his password after the installation? If PAM has been updated to support SHA512, then this should reflect in the installer, or at least give the user the ability to chose which algorithm they wish to take advantage of.
Marking this as a security vulnerability, as MD5 has shown successful crytanalysis, and should be replaced.
To post a comment you must log in.
