With *shadow* >= `4.14.0`, Arch Linux's default password hashing algorithm changed from **SHA512** to **yescrypt** [1].
Furthermore, the `umask` [2] settings are now configured in `/etc/login.defs` instead of `/etc/profile`.
This should not require any manual intervention.
## Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme **yescrypt** has been chosen due to its adoption (readily available in *libxcrypt*, which is used by *pam* [3]) and its stronger resilience towards password cracking attempts over **SHA512**.
Although the winner of the Password Hashing Competition [4] has been **argon2**, this even more resilient algorithm is not yet available in *libxcrypt* [5][6].
## Configuring yescrypt
The `YESCRYPT_COST_FACTOR` setting in `/etc/login.defs` is currently without effect, until *pam* implements reading its value [7]. If a `YESCRYPT_COST_FACTOR` higher (or lower) than the default (`5`) is needed, it can be set using the `rounds` option of the `pam_unix` [8] module (i.e. in `/etc/pam.d/system-auth`).
## General list of changes
- **yescrypt** is used as default password hashing algorithm, instead of **SHA512**
- *pam* honors the chosen `ENCRYPT_METHOD` in `/etc/login.defs` and does not override the chosen method anymore
- changes in the *filesystem* (>= `2023.09.18`) and *pambase* (>= `20230918`) packages ensure, that `umask` is set centrally in `/etc/login.defs` instead of `/etc/profile`
[1] https://www.openwall.com/yescrypt/
[2] https://man.archlinux.org/man/umask.1p
[3] https://wiki.archlinux.org/title/PAM
[4] https://www.password-hashing.net/
[5] https://github.com/besser82/libxcrypt/pull/113
[6] https://github.com/besser82/libxcrypt/pull/150
[7] https://github.com/linux-pam/linux-pam/issues/607
[8] https://man.archlinux.org/man/pam_unix.8
URL: https://archlinux.org/news/changes-to-default-password-hashing-algorithm-an…