[SECURITY] Numerous references to MD5 password hashing

The UI (all kinds of password-related modules in Webmin, Usermin and Virtualmin) is full of outdated references to MD5 password hashing.

All of those old references/modules need SHA512 as their new defaults.

(And yes, I am aware that SHA512 is the default in Virtualmin itself; I am speaking mainly of Webmin here)

Status: 
Active

Comments

Where specifically are you seeing references to MD5?

Everywhere.

Grep the source for MD5 and you'll find it too. There are 2-3 old Webmin/Usermin modules that have options such as:

Hashing: [x] MD5 [ ] Blowfish (or whatever the other one was)

I checked, and all the references I could see to MD5 just included it as an option among various password hashing types..

Try Usermin Configuration -> Usermin Module Configuration -> Change Passwords.

Probably other places like that. I jsut had a quick look to see what the fuss was about.

Thanks - I'll fix up that usermin module by allowing other hashing formats.