From owner-freebsd-questions@FreeBSD.ORG Mon Jun 17 17:25:58 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 01049449 for ; Mon, 17 Jun 2013 17:25:57 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id C39E712D6 for ; Mon, 17 Jun 2013 17:25:57 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.31]) by ltcfislmsgpa04.fnfis.com (8.14.5/8.14.5) with ESMTP id r5HHPto9031561 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 17 Jun 2013 12:25:56 -0500 Received: from LTCFISWMSGMB21.FNFIS.com ([10.132.99.23]) by LTCFISWMSGHT03.FNFIS.com ([10.132.206.31]) with mapi id 14.02.0309.002; Mon, 17 Jun 2013 12:25:55 -0500 From: "Teske, Devin" To: Eduardo Morras Subject: Re: FreeBSD maximum password length Thread-Topic: FreeBSD maximum password length Thread-Index: AQHOayCVPFD3vpAuF0ODNB8vEPwfnZk51twqgAByMACAAAfEAIAALDEA Date: Mon, 17 Jun 2013 17:25:54 +0000 Message-ID: <13CA24D6AB415D428143D44749F57D7201F936C4@ltcfiswmsgmb21> References: <44li69diyv.fsf@be-well.ilk.org> <20130617164744.1c4e3d02e57de825d500e309@yahoo.es> In-Reply-To: <20130617164744.1c4e3d02e57de825d500e309@yahoo.es> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.132.253.126] Content-Type: text/plain; charset="Windows-1252" Content-ID: <0C3C8345C0C18D4FB1850C568A0FF17F@fisglobal.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794, 1.0.431, 0.0.0000 definitions=2013-06-17_04:2013-06-17,2013-06-17,1970-01-01 signatures=0 Cc: "" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: Devin Teske List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jun 2013 17:25:58 -0000 On Jun 17, 2013, at 7:47 AM, Eduardo Morras wrote: > On Mon, 17 Jun 2013 17:49:56 +0330 > takCoder wrote: >>=20 >> I need to moderate the input password in my system's user interface. And= I >> believe i have tested longer passwords than that, about 1000 characters >> long, and there was no limitations, via using this command in a /bin/sh >> test shell script : "echo PASSWORD | pw user mod USER -h 0". >=20 > If I remember well, any password longer than default size is truncated, s= o passwords >=20 > a) 'AhN12Njufsn8794432kjfvsnkkJHNDSMNDKh844mNJKnhjhu8u8424' > b) 'AhN12Njufsn8794432kj' >=20 > have the same salt hash value and both validate the user. >=20 Depends on the hashing algo. Old crypt(3) stored passwords with a 12-bit (2x Base64 characters; [0-9a-zA= -Z./]) followed by the hashed cleartext. This [ancient] format limited password input to 8 characters. With this alg= orithm, input beyond 8 characters was ignored, so the behavior you describe= is accurate -- with the old DES based one-way hash algorithm (which hasn't= been default for a vey long time). The default in FreeBSD is MD5, but you can go to AES256 (Rijndael) if you l= ike, or Blowfish, or whatever you like. Each of these has different limitat= ions, but will not exhibit the behavior you describe above. There is no limit to these algorithms, only in the implementations -- that = is to say that if you implement a read-buffer of 128k, that's the practical= limit of your applications input (read: these algorithms have no limitatio= ns on input, however that being stated=85 no CRC algorithm has a limitation= on input). But be aware=85 What makes these algorithms more secure is their larger salts *and* their s= tated rate of collisions. MD5 is no longer considered secure. It's secure *enough* for most people, b= ut if you run a tight ship, any one with a few multiplexed GPUs running a C= UDA thread against your hash can break it in a matter of a week if not days= . The benchmark (in my mind) for any cryptographically strong algo is that = with almost dream-like hardware, it would still be impossible to reverse th= e one-way trapdoor hash in one's-own lifetime. Of course, achieving that as a human can be hard considering that we rarely= (if ever) produce strong inputs to the strong algorithms. However, if you = want to be pedantic about choosing a strong password=85 you should actually= take respite in the fact that these algorithms is still like their CRC bre= thren in that: Inputs greater than the hash length are cryptographically more secure than = inputs shorter than the hash length. I digress=85 --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.