pam.d/base-password allows passwordless login and md5 hashed passwords
Hello,
for me personally the /etc/pam.d/base-password file looks a bit insecure tbh.
I have changed it to:
sed -i -e "s/pam_unix.so.*$/pam_unix.so sha512/" /etc/pam.d/base-password
to allow only sha512 hashed passwords in /etc/shadow
to make dictionary attacks harder.
I know, that /etc/shadow is root readable only, so this does not pose a huge risk afar from physical comprommitation,
but (for me at least) is a nice little improvement.
Best wishes