5.4.3 Ensure password hashing algorithm is SHA-512


The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm.


These changes only apply to accounts configured on the local system.

Additional module options may be set, recommendation only covers those listed here.


The SHA-512 algorithm provides much stronger hashing than MD5, thus providing additional protection to the system by increasing the level of effort for an attacker to successfully determine passwords.


Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include sha512 option and remove the md5 option for pam_unix.so:

password sufficient pam_unix.so sha512


Any system accounts that need to be expired should be carefully done separately by the system administrator to prevent any potential problems.

If it is determined that the password algorithm being used is not SHA-512, once it is changed, it is recommended that all user ID's be immediately expired and forced to change their passwords on next login, In accordance with local site policies.

To accomplish this, the following command can be used.

This command intentionally does not effect the root account. The root account's password will also need to be changed.

# awk -F: '( $3<''$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)'' && $1 !~ /^(nfs)?nobody$/ && $1 != 'root' ) { print $1 }' /etc/passwd | xargs -n 1 chage -d 0

Additional Information:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Vul ID: V-204415

Rule ID: SV-204415r603261_rule

STIG ID: RHEL-07-010200

Severity: CAT II

See Also


Item Details


References: 800-53|IA-5(1)(c), CCI|CCI-000196, CSCv7|16.4, Rule-ID|SV-204415r603261_rule, STIG-ID|RHEL-07-010200

Plugin: Unix

Control ID: 2fbd03044b85bcf66f140cb8a5ed07fc2001340da1fac22e0290284296ac53e3