The SHA_CRYPT_MAX_ROUNDS value should be increased from 5000 and uncommented to be the default setting. The recommended submitted default is 100,000 rounds. For cycles which are linear functions of iteration counts, like PBKDF2, 100,000 rounds is 20x more difficult to brute force than 5000. The number could be much higher, but 100000 was chosen to represent a minimum security standard. Software should be shipped secure, and customers should have to make the product insecure if they so desire, not the other way around.

• According to the login.defs manpage, 5,000 “is orders of magnitude too low for modern hardware” (login.defs(5), n.d.).
• When LastPass was breached, many password files were left on 5,000 hashing rounds, contributing to potential successful password cracking (Krebs, 2023).
• Even old systems can hash 65,536 rounds in less than a second (SHA hashes, 2024).
• For the PBKDF2-HMAC algorithm, OWASP recommends 210,000, 600,000, and 1,300,000 rounds depending on the variant (OWASP, 2021).
• While 5000 rounds is the STIG minimum (e.g. RHEL-08-010130), I contacted the DISA STIG support team who responded “the evidence you have presented suggests that this minimum could be raised for this requirement” and that an update may occur in a future release of the STIG.

Merge Request: https://gitlab.com/redhat/centos-stream/rpms/shadow-utils/-/merge_requests/22