With shadow >= 4.14.0, Arch Linux's default password hashing algorithm changed from SHA512 to yescrypt.
Furthermore, the umask settings are now configured in /etc/login.defs instead of /etc/profile.
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition has been argon2, this algorithm is not yet available in libxcrypt (attempt one, attempt two).
Configuring yescrypt
The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix module (i.e. in /etc/pam.d/system-auth).
General list of changes
- yescrypt is used as default password hashing algorithm, instead of SHA512
- pam honors the chosen
ENCRYPT_METHODin/etc/login.defsand does not override the chosen method anymore - changes in the filesystem (>=
2023.09.18) and pambase (>=20230918) packages ensure, thatumaskis set centrally in/etc/login.defsinstead of/etc/profile