*** This bug is a security vulnerability ***
Public security bug reported:
MD5 is chosen as the default password hash in Ubuntu 8.10, when a much
stronger SHA512 is supported.
After install, the user can run the 'passwd' command to update his
password, then by default, /etc/shadow is updated to the SHA512
algorithm, but before this point, passwords from the installer are
stored as MD5. Why isn't the algorithm supported in the installer? How
likely is the user going to change his password after the installation?
If PAM has been updated to support SHA512, then this should reflect in
the installer, or at least give the user the ability to chose which
algorithm they wish to take advantage of.
Marking this as a security vulnerability, as MD5 has shown successful
crytanalysis, and should be replaced.
** Affects: debian-installer (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
MD5 is chosen as the default password hash
https://bugs.launchpad.net/bugs/290361
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
