[arch-dev-public] News draft: sorting old password hashes
Jan Alexander Steffens
jan.steffens at gmail.com
Sun Jun 6 19:49:26 UTC 2021
On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public <
arch-dev-public at lists.archlinux.org> wrote:
> Hello everybody,
>
> old password hashes like MD5 are no longer accepted by recent libxcrypt. On
> next login user may be enforced to update password. To make sure nobody is
> worried I would like to add install message and news post:
>
> --- >8 ---
> Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted.
> If you still have one in your shadow file do not worry if you are enforced
> to
> update your password on next login.
> --- >8 ---
>
It confused me a bit. I think we can phrase this better:
```
Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1)
are
no longer accepted for new passwords. Users that still have their passwords
stored with a weak hash will be asked to update their password on their next
login.
```
But is this really what is happening? I thought we had a complete failure
to login,
not a "forced to update". I'm also not clear if the latter would work with
the
display managers.
More information about the arch-dev-public
mailing list