maximum password length

Richard Smith richard at jezebel.demon.co.uk
Fri Aug 6 14:18:09 BST 1999


Martin Hopkins wrote:
> 
> >>>>> "Richard" == Richard Smith <rsmith at trltech.co.uk> writes:
> 
>     Richard> Quite by chance, my daughter discovered that FreeBSD is only treating
>     Richard> the first eight characters of the login password as significant. The man
>     Richard> page for passwd (as does the include file) suggests that the max length
>     Richard> should be 128. This is a fairly standard 3.2R installation (including
>     Richard> all the security bits) from the CD.
> 
>     Richard> Any clues? Or have I missed something?
> 
> Take a look at the encoded password, are they 13 characters.  From
> crypt(3)...
> 
>      For compatibility with historical versions of crypt(3),  the setting may
>      consist of 2 bytes of salt, encoded as above, in which case an iteration
>      count of 25 is used, fewer perturbations of DES are available, at most 8
>      characters of key are used, and the returned value is a NUL-terminated
>      string 13 bytes in length.

Yes. 13 characters.

 
> Looks like this is being used for some reason.  Are you using DES or MD5?
> I don't have the sources at hand, I'll take a look at the code later.

I didn't know I had a choice :)

When asked "do I want DES and Kerberos" off the CD, I always answer "I
wan't everything" :)

That fact that some of the packages on the 3.0R CD (IIRC) didn't work
without Kerberos (because of the way they had been incorrectly built)
has reinforced this behaviour.

I know that Kerberos seems like a real pain, and I don't think I will
ever seriously use it. Is DES likewise, normally to be avoided unless
you have a specific requirement for it?

Thanks,
Richard.





More information about the Ukfreebsd mailing list