← Rules Catalog
mediumaccess-controlverified rollback-safe

Encrypt stored passwords with a FIPS 140-3 hashing algorithm (Ubuntu)

password-hashing-fips-ubuntu · UBUNTU ≥ 22 · 1 impl

Description

/etc/login.defs ENCRYPT_METHOD must be set to SHA512 so that stored passwords use a FIPS 140-3 approved hashing algorithm.

Rationale

yescrypt (the Ubuntu default) is not FIPS 140-3 validated. SHA512 is the approved algorithm for storing password hashes in a FIPS posture.

Check → Remediate

Checkconfig_value
path:
/etc/login.defs
key:
ENCRYPT_METHOD
expected:
SHA512
delimiter:
Remediateconfig_set
path:
/etc/login.defs
key:
ENCRYPT_METHOD
value:
SHA512
separator:

Framework references

STIG

V-270739 / UBTU-24-400400V-260572 / UBTU-22-611070

NIST 800-53

IA-5IA-5(1)(c)

Live verification

ubuntu22:checkubuntu24:check
#password#hashing#fips#login.defs