Profile Applicability:
• Level 1
Description:
Configuring a strong password hashing algorithm (e.g., SHA-512) strengthens password storage security by making it more resistant to brute-force and dictionary attacks. This reduces the likelihood of password compromise.
Rationale:
Using robust hashing algorithms protects stored passwords by increasing computational effort required for cracking, thereby enhancing overall system security.
Impact:
Pros:
Enhances password security.
Supports compliance with security best practices and standards.
Cons:
May slightly increase CPU load during authentication.
Default Value:
Many modern Linux systems use SHA-512 or stronger hashing by default but this should be verified.
Pre-requisites:
Root or sudo privileges to modify password hashing configurations.
Remediation:
Test Plan:
Using Linux command line:
1. Check the current password hashing algorithm in /etc/login.defs or PAM configuration:
grep ENCRYPT_METHOD /etc/login.defs
2. Verify the hashing algorithm is set to SHA512 or stronger.
Implementation Plan:
Using Linux command line:
1. Edit /etc/login.defs to set strong hashing algorithm:
vi /etc/login.defs
2. Set or update the following line:
ENCRYPT_METHOD SHA512
3. Save the file.
Backout Plan:
Using Linux command line:
Revert changes in /etc/login.defs if necessary.
Test password changes to verify behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux login.defs Manual