Default OS root password hash algorithm should be SHA-2
#2127 added support for different root password hash algorithms, but set the default to MD5.
I'd prefer to see the default be a SHA-2 algorithm and for users to have to explicitly drop the security level if they wish (bearing in mind that most OS definitions are auto-created). I think most modern OSes have long supported SHA-2 (e.g. RHEL 5.2 or above), so I don't think MD5 is a reasonable default.