diff --git a/debian/login.defs b/debian/login.defs index 3e03a961..ebf22430 100644 --- a/debian/login.defs +++ b/debian/login.defs @@ -279,11 +279,13 @@ USERGROUPS_ENAB yes #MD5_CRYPT_ENAB no # -# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to MD5, MD5-based algorithm will be used for encrypting password # If set to SHA256, SHA256-based algorithm will be used for encrypting password # If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password # If set to DES, DES-based algorithm will be used for encrypting password (default) +# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations. # Overrides the MD5_CRYPT_ENAB option # # Note: It is recommended to use a value consistent with @@ -292,20 +294,21 @@ USERGROUPS_ENAB yes ENCRYPT_METHOD SHA512 # -# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512. # # Define the number of SHA rounds. -# With a lot of rounds, it is more difficult to brute forcing the password. -# But note also that it more CPU resources will be needed to authenticate -# users. +# With a lot of rounds, it is more difficult to brute-force the password. +# However, more CPU resources will be needed to authenticate users if +# this value is increased. # -# If not specified, the libc will choose the default number of rounds (5000). -# The values must be inside the 1000-999999999 range. +# If not specified, the libc will choose the default number of rounds (5000), +# which is orders of magnitude too low for modern hardware. +# The values must be within the 1000-999999999 range. # If only one of the MIN or MAX values is set, then this value will be used. # If MIN > MAX, the highest value will be used. # -# SHA_CRYPT_MIN_ROUNDS 5000 -# SHA_CRYPT_MAX_ROUNDS 5000 +#SHA_CRYPT_MIN_ROUNDS 5000 +#SHA_CRYPT_MAX_ROUNDS 5000 # # Only works if ENCRYPT_METHOD is set to YESCRYPT.