On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote:
> Hello everybody, > > old password hashes like MD5 are no longer accepted by recent libxcrypt. On > next login user may be enforced to update password. To make sure nobody is > worried I would like to add install message and news post: > > --- >8 --- > Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted. > If you still have one in your shadow file do not worry if you are enforced > to > update your password on next login. > --- >8 --- > It confused me a bit. I think we can phrase this better: ``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ``` But is this really what is happening? I thought we had a complete failure to login, not a "forced to update". I'm also not clear if the latter would work with the display managers.
