← Rules Catalog
highaccess-controlverified rollback-safe

Ensure strong password hashing algorithm is configured

password-hashing-algorithm · RHEL ≥ 8 · 1 impl

Description

The system should use a strong password hashing algorithm such as yescrypt or SHA512 for storing passwords.

Rationale

Weak hashing algorithms can be cracked more easily. Modern algorithms like yescrypt provide better resistance to brute-force attacks.

Check → Remediate

Checkcommand
encrypt=$(grep -E '^ENCRYPT_METHOD' /etc/login.defs 2>/dev/null | awk '{print $2}')
case "$encrypt" in
  YESCRYPT|SHA512)
    echo "OK: Password hashing algorithm is $encrypt"
    exit 0
    ;;
  "")
    # CIS FAILs when ENCRYPT_METHOD is unset; do not assume a default.
    echo "FAIL: ENCRYPT_METHOD not set in /etc/login.defs"
    exit 1
    ;;
  *)
    echo "FAIL: Weak hashing algorithm: $encrypt"
    exit 1
    ;;
esac
expected_exit:
0
Remediateconfig_set
path:
/etc/login.defs
key:
ENCRYPT_METHOD
value:
YESCRYPT
separator:

Framework references

CIS

rhel9 5.4.1.4rhel8 5.4.1.4rhel10 5.4.1.4

STIG

V-258231 / RHEL-09-671015V-230231

NIST 800-53

IA-5IA-5(1)(c)

Live verification

rhel10:checkrhel9:check
#password#hashing#encryption#security