maximum password length
richard at jezebel.demon.co.uk
Fri Aug 6 14:18:09 BST 1999
Martin Hopkins wrote:
> >>>>> "Richard" == Richard Smith <rsmith at trltech.co.uk> writes:
> Richard> Quite by chance, my daughter discovered that FreeBSD is only treating
> Richard> the first eight characters of the login password as significant. The man
> Richard> page for passwd (as does the include file) suggests that the max length
> Richard> should be 128. This is a fairly standard 3.2R installation (including
> Richard> all the security bits) from the CD.
> Richard> Any clues? Or have I missed something?
> Take a look at the encoded password, are they 13 characters. From
> For compatibility with historical versions of crypt(3), the setting may
> consist of 2 bytes of salt, encoded as above, in which case an iteration
> count of 25 is used, fewer perturbations of DES are available, at most 8
> characters of key are used, and the returned value is a NUL-terminated
> string 13 bytes in length.
Yes. 13 characters.
> Looks like this is being used for some reason. Are you using DES or MD5?
> I don't have the sources at hand, I'll take a look at the code later.
I didn't know I had a choice :)
When asked "do I want DES and Kerberos" off the CD, I always answer "I
wan't everything" :)
That fact that some of the packages on the 3.0R CD (IIRC) didn't work
without Kerberos (because of the way they had been incorrectly built)
has reinforced this behaviour.
I know that Kerberos seems like a real pain, and I don't think I will
ever seriously use it. Is DES likewise, normally to be avoided unless
you have a specific requirement for it?
More information about the Ukfreebsd