Shadow-utils 4.19.0 released
4.19.0 of the https://github.com/shadow-maint/shadow?tab=readme-ov-file#shadow-utils
project has been released. Notable changes in this release include
some usernames that were previously accepted with the
--badname option, and removing
support for escaped newlines in configuration files. Possibly more
interesting is the announcement that the project is deprecating a
number of programs, hashing algorithms, and the ability to
periodically expire passwords:
Scientific research shows that periodic password expiration
leads to predictable password patterns, and that even in a
theoretical scenario where that wouldn't happen the gains in
security are mathematically negligible (paper
link).
Modern security standards, such as NIST SP 800-63B-4 in the USA,
prohibit periodic password expiration. [...]
To align with these, we're deprecating the ability to
periodically expire passwords. The specifics and long-term
roadmap are currently being discussed, and we invite feedback
from users, particularly from those in regulated environments.
See https://github.com/shadow-maint/shadow/pull/1432
.
The release announcement notes that the features will remain
functional "for a significant period" to minimize
disruption.