According to the Calamares developers, this password weakness issue was discovered to affect all Calamares versions prior to the 3.1.1 release, which was released last week with improved salting for user passwords, and they believe it’s important if an attacker has a method of obtaining the password hash, which could compromise your Linux-based operating system.
The Calamares developers are advising all users of GNU/Linux distributions that use their universal installer framework to install the operating system to reset their password on the respective computers using the “passwd” command-line utility, which will provide a stronger salt and therefore a more secure password hash.
Please note that you will need to change only the passwords of the user created during the installation process, as well as the root account, if it has a password set, of course. Users that have been added after the installation don’t have this password weakness.
Check the security advisory to see how you can verify if your distro that was installed with the Calamares installer contains weakly-salted passwords, and try to keep in mind that all the Live ISOs that come with Calamares 3.1 or a previous release have this password weakness.
Submitted by: Arnfried Walbrecht