DES Encryption by default?

My openSUSE system is 12.3 64-bit Gnome, fresh installed from a live cd. I noticed in Yast -> Security Settings -> Password Settings that my Password Encryption Method was set to DES. This seems to be incorrect as previous releases I know the default to be SHA-512. I have two questions.

Is the default being DES a critical problem? I noticed no symptoms but later set the option back to SHA-512. Can anyone else confirm their password being set to DES?

There is a bug report here: https://bugzilla.novell.com/show_bug.cgi?id=810600

According to “/etc/login.defs” the default here is SHA512. I installed using the DVD image (via a USB).

Thanks for pointing out that file. It states there “If set to DES, DES-based algorithm will be used for encrypting password (default)”. So apparently DES is the new default algorithm. I am assuming it is not a problem then but I will look for more information before I draw a final conclusion. Mine now reads this as I have manually changed it in yast:

# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (defau
lt)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD  sha512

My openSUSE system also 12.3 64-bit Gnome, when did fresh install from cd found the default offered DES confusing:

Password Encryption Method:
DES, the Linux default method, works in all network environments, but it restricts you to passwords no longer than eight characters. If you need compatibility with other systems, use this method.
MD5 allows longer passwords and is supported by all current Linux distributions, but not by other systems or old software.
SHA-512 is the current standard hash method, using other algorithms is not recommended unless needed for compatibility purpose.

Not being sure IF any compatibility issues, did need set to MD5 as was using longer user passwords, with users wanting back on quick.

Any need-to-do issues [other passwords, Samba changes ?] prior to changing setting from MD5 to SHA-512 ?

.

On 2013-03-25 04:16, nightwishfan wrote:
>
> Thanks for pointing out that file. It states there “If set to DES,
> DES-based algorithm will be used for encrypting password (default)”. So
> apparently DES is the new default algorithm. I am assuming it is not a
> problem then but I will look for more information before I draw a final
> conclusion. Mine now reads this as I have manually changed it in yast:

You could ask in the factory mail list, where most of the devs lurk, if
they have changed the default and why.

–
Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

Did not notice this while installing 64bit GNOME from Live installer. I tried Booting up the LIve ISO and found this
http://paste.opensuse.org/images/84876987.jpg

I doubt that DES is the new default algorithm - DES goes back to the 1970s and was shown to be susceptible to brute force attacks in the 1990s. openSUSE used to use Blowfish which was shown to be vulnerable a couple of years ago; SHA512 has yet to be shown to be vulnerable and is the default unless you are networked to systems which cannot handle SHA512.

Agree DES and MD5 should be avoided unless there is a special reason, ie some app or module that reads the password hash directly. Am not sure why that behavior should be supported anywhere since no matter how hashed authentication can be handled <through> the OS instead.

Defaults
12.3 upgrade from a fresh install 12.2 = SHA512.

TSU