package: release-notes x-debbuggs-cc: pam@packages.debian.org Hi. I've never filed one of these before, and I'm in the middle of several other things, so I decided to file the bug even if I get it not quite right rather than forgetting. Pam 1.4.0-3 changes the default password hash to yescript. That means that users may get a security improvement if they reset their passwords. It also has compatibility implications. I'd recommend text like the following for the release notes Password Hashing Uses Yescript by Default The default password hash for local system accounts has been changed to yescrypt (https://www.openwall.com/yescrypt/ ). This is expected to provide improve security against dictionary-based password guessing attacks, focusing both on the space as well as time complexity of the attack. To take advantage of this improved security, change local passwords; for example use the `passwd` command. Old passwords will continue to work using whatever password hash was used to create them. Yescrypt is not supported by Debian 10 (Buster). As a result, shadow password files (`/etc/shadow`) cannot be copied from a Debian 11 system back to a Debian 10 system. If these files are copied, passwords that have been changed on the Debian 11 system will not work on the Debian 10 system. Similarly, password hashes cannot be cut&paste from a Debian 11 to a Debian 10 system. If compatibility is required for password hashes between Debian 11 and Debian 10, modify `/etc/pam.d/common-password`. Find the line that looks like: password [success=1 default=ignore] pam_unix.so obscure yescrypt and replace `yescrypt` with `sha512`.
Attachment:
signature.asc
Description: PGP signature