Currently Gentoo uses sha512 passwords in /etc/shadow by default. This isn't ideal, as sha512 is not a dedicated password hashing function. Modern password hashing functions are designed to be difficult to bruteforce due to their memory use and other features. For a long time, sha512 was the best that glibc supported. But newer versions of glibc use libxcrypt, and that supports a wider variety of hash functions. It appears that other distros go for yescrypt as the preferrable modern hash function supported by libxcrypt. Latest versions of Debian, Ubuntu, and Fedora already use yescrypt. Here's a discussion from Fedora: https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow I therefore recommend that Gentoo also changes the default to yescrypt. This is configured in the file /etc/pam.d/system-auth, which is part of pambase.
See https://marc.info/?l=gentoo-dev&m=165851695628807&w=2. IIRC (I haven't re-read the discussion yet), the consensus was positive. For the record, it's fine with me and I like the idea.
We should also update ENCRYPT_METHOD in /etc/login.defs (sys-apps/shadow) for non-PAM installs.
