On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote:
Hello everybody,
old password hashes like MD5 are no longer accepted by recent libxcrypt. On next login user may be enforced to update password. To make sure nobody is worried I would like to add install message and news post:
--- >8 --- Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted. If you still have one in your shadow file do not worry if you are enforced to update your password on next login. --- >8 ---
It confused me a bit. I think we can phrase this better: ``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ``` But is this really what is happening? I thought we had a complete failure to login, not a "forced to update". I'm also not clear if the latter would work with the display managers.