You are not logged in.

#1 2023-09-25 01:20:37

amish
Member
Registered: 2014-05-10
Posts: 475

Yescrypt announcement missed the main point of implementation!

So recently Arch Linux moved to yescrypt for password hashing.

https://archlinux.org/news/changes-to-d … -settings/

It says that: This should not require any manual intervention and also mentions reasons of Yescrypt and how to configure yescrypt.

However the announcement misses the main point of implementation (configuration), that if you want to make your current password secure, you must change the password again (it can be same as current password), so yescrypt actually gets used.

So manual intervention is indeed required for each user having a password set, else yescrypt will not be used for existing password whose password is still not switched to yescrypt hashing.

Advanced users may realize this step and do it on their own, but other users who do not really know how the password hashing is stored in shadow file, they will think that they are more secure now that their Arch system has switched to yescrypt. (which would not be true as their current password still uses some different hashing)

I think this point (of changing the password) should also be mentioned in the announcement as it is actually the main point.

Thank you.

Last edited by amish (2023-09-25 01:25:39)

Offline

#2 2023-09-25 04:15:53

Awebb
Member
Registered: 2010-05-06
Posts: 6,640

Re: Yescrypt announcement missed the main point of implementation!

The news was posted by someone named David Runge. Go to the main page and find the "People" section. News are likely to come from developers. Find him there. There is no guarantee, that developers read every post on the bbs.

Intervention is not required, though, as the system will continue to operate normally without a password change. There was a recent instance, where this wasn't the case (https://archlinux.org/news/sorting-out- … rd-hashes/). In addition, yescrypt being the default doesn't mean that any other hashing algorithm is now insecure.

Offline

#3 2023-09-25 04:30:37

amish
Member
Registered: 2014-05-10
Posts: 475

Re: Yescrypt announcement missed the main point of implementation!

I agree that other hashing algorithm are not insecure.

But purpose of migrating to Yescrypt here is to use the best available hashing algorithm.

Idea also is that, in case someone gets hold of shadow file, then it should become more difficult for that person to crack the password.

So as long as you dont change / reset the password, above implementation is completely useless.

Hence I believe that announcement should recommend (but optional) change of password. And mention that till the user does not change his/her password, yescrypt will not be used.

Last edited by amish (2023-09-25 13:40:09)

Offline

#4 2023-09-25 04:43:05

amish
Member
Registered: 2014-05-10
Posts: 475

Re: Yescrypt announcement missed the main point of implementation!

Awebb wrote:

The news was posted by someone named David Runge. Go to the main page and find the "People" section. News are likely to come from developers.

Sent an email to him. Thanks

Offline

Board footer

Powered by FluxBB