diff --git a/patches/packages/to-upstream/0015-shadow-change-default-encryption-method-from-DES-to-.patch b/patches/packages/to-upstream/0015-shadow-change-default-encryption-method-from-DES-to-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..890bc28226fee1ad3b515879365ef98facf92b07
--- /dev/null
+++ b/patches/packages/to-upstream/0015-shadow-change-default-encryption-method-from-DES-to-.patch
@@ -0,0 +1,45 @@
+From 0c9dfe8c77cd38ead1a7340ebdd23e8100056896 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz>
+Date: Mon, 13 May 2019 13:38:04 +0200
+Subject: [PATCH] shadow: change default encryption method from DES to SHA512
+
+Busybox in default uses SHA512 as well.
+---
+ utils/shadow/Makefile                                 |  2 +-
+ .../patches/005-set-encrypt-method-sha512.patch       | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+ create mode 100644 utils/shadow/patches/005-set-encrypt-method-sha512.patch
+
+diff --git a/utils/shadow/Makefile b/utils/shadow/Makefile
+index 8e9e311..51c029f 100644
+--- a/utils/shadow/Makefile
++++ b/utils/shadow/Makefile
+@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
+ 
+ PKG_NAME:=shadow
+ PKG_VERSION:=4.6
+-PKG_RELEASE:=1
++PKG_RELEASE:=2
+ 
+ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+ PKG_SOURCE_URL:=https://github.com/shadow-maint/shadow/releases/download/$(PKG_VERSION)
+diff --git a/utils/shadow/patches/005-set-encrypt-method-sha512.patch b/utils/shadow/patches/005-set-encrypt-method-sha512.patch
+new file mode 100644
+index 0000000..46bcd3f
+--- /dev/null
++++ b/utils/shadow/patches/005-set-encrypt-method-sha512.patch
+@@ -0,0 +1,11 @@
++--- a/etc/login.defs
+++++ b/etc/login.defs
++@@ -317,7 +317,7 @@ CHFN_RESTRICT		rwh
++ # Note: If you use PAM, it is recommended to use a value consistent with
++ # the PAM modules configuration.
++ #
++-#ENCRYPT_METHOD DES
+++ENCRYPT_METHOD SHA512
++ 
++ #
++ # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+-- 
+2.21.0
+