[PATCH 2/5] security: mark weaker passwords hashing algorithms insecure

[Ahmad Fatoum]

It's well known that MD5 and SHA1 aren't suitable password hashing
algorithms. Let's alert users to that fact by selecting
HAS_INSECURE_DEFAULTS.

Signed-off-by: Ahmad Fatoum <a.fatoum at barebox.org>
---
 security/Kconfig | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 88ebdeed2f64..3e21e1416e2f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -63,10 +63,21 @@ choice
 config PASSWD_SUM_MD5
 	bool "MD5"
 	select DIGEST_MD5_GENERIC
+	select HAS_INSECURE_DEFAULTS
+	help
+	  MD5 had been widely used historically as a cryptographic hash function,
+	  but has been found to suffer from extensive vulnerabilities.
+	  Use of MD5 to hash passwords is strongly discouraged.
 
 config PASSWD_SUM_SHA1
 	bool "SHA1"
 	select DIGEST_SHA1_GENERIC
+	select HAS_INSECURE_DEFAULTS
+	help
+	  SHA1 had been widely used historically as a cryptographic hash function,
+	  but has since been cryptographically broken.
+	  SHA-1 was designed for speed and thus use as password hash is strongly
+	  discouraged as it's easier for an attacker to brute force.
 
 config PASSWD_SUM_SHA256
 	bool "SHA256"
-- 
2.39.5