https://bugzilla.suse.com/show_bug.cgi?id=1177182 Bug ID: 1177182 Summary: Don't use DES as default password encryption Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- If (/usr)/etc/login.defs does not specify ENCRYPT_METHOD, it defaults to DES. This means that if the file is deleted, not readable (typo) or something unrelated in YaST throws an exception (boo#1176714), passwords in /etc/shadow are trivially reversible. At this point we've used something else in the system provided login.defs for ages, so changing the default in the packages reading and applying those files (upstream?) should be safe. -- You are receiving this mail because: You are on the CC list for the bug.