Looking in BSDUnixDESCryptPasswordImpl, we can see that there are a few places where the salt is created using ThreadLocalRandom.current().nextInt() (e.g., see https://github.com/wildfly-security/wildfly-elytron/blob/2.x/password/impl/src/main/java/org/wildfly/security/password/impl/BSDUnixDESCryptPasswordImpl.java#L75).

We should update BSDUnixDESCryptPasswordImpl so that SecureRandom is used to create the salt instead of ThreadLocalRandom.