Date: Thu, 16 May 2002 14:54:26 -0700 From: "DiCioccio, Jason" <jdicioccio@epylon.com> To: 'Jesper Wallin' <z3l3zt@phucking.kicks-ass.org>, security@freebsd.org Subject: RE: How secure is a password and how many characters does it allo w? Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF58E@goofy.epylon.lan>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The limit actually appears to be 8, and it appears to be a limitation
of crypt().. I did a few tests. These are from within ruby, however
it uses crypt(), so it should be accurate.
irb(main):001:0> "aaaaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):002:0> "aaaaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):003:0> "aaaaaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):004:0> "aaaaaaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):005:0> "aaaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):006:0> "aaaaaaaa".crypt('aa')
"aakcR08PK3l1o"
irb(main):007:0> "aaaaaaa".crypt('aa')
"aaJFn5Xsal0nQ"
Looking at pam_unix though it will accept a password up to 128
characters. I think the limitation is coming from crypt(). Does
anyone know if this is specific to 1 type of encryption (DES in this
case), or is this true for md5, des, and blowfish when crypt() is used?
Cheers,
- -JD-
- -----Original Message-----
From: Jesper Wallin [mailto:z3l3zt@phucking.kicks-ass.org]
Sent: Thursday, May 16, 2002 2:44 PM
To: security@freebsd.org
Subject: How secure is a password and how many characters does it
allow?
Hello.
I take the whole story from the begining.. My girl friend is/was
running
Slackware Linux and wanted to get her webcam working.. After searching
for
docs/help in about 1 month she decided to install Windows ME (Millenium
Edition). Something did go wrong with the install so ext2 file system
got
messed up.. She removed Linux for some days and is running Windows only
now..
As many of us know is Windows ME quite unstable and for each program
you
install you need to reboot.. (why??) After she reconnected to IRC
throught
mIRC for the 6th time under 10minutes she asked me to give her a shell
on my
box.. Ofcause I created a new user and from now on she's running
irssi..
(good girl :)
She uses a password which is 10 characters long with both caps,
non-caps,
numbers and ascii characters.. However she's used to put to small
passwords
together to get a bigger and stronger password.. This password is one
of the
"small" passwords..
She tryed to login on the box with her 10 characters long password
which
worked (ofcause) .. Now she detected that she was able to login when
using a
phrase looking like [correct-password][junk/another-password].. If she
start
the phrase with the correct password, she is able to login even if she
add
anything else after the correct password.. For me it looks like a limit
of
10 characters passwords.. is this true?
I know I havn't seach much help by myown before asking here but I hope
someone out there may have an answer on my (wierd) question..
//Jesper Wallin aka Z3l3zT
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPOQs+jKUHizV76d/EQJkwwCg5gTNvQBvyC22mTOeiQyF2epDFGsAoNQM
07eTAOeZGkni2vZFweAlxkol
=CKZ8
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?657B20E93E93D4118F9700D0B73CE3EA02FFF58E>