Date: Tue, 04 Apr 2000 12:39:57 +0200 From: Sheldon Hearn <sheldonh@uunet.co.za> To: Bhishan Hemrajani <bhishan@cytosine.dhs.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: only 8 chars of password needed to login Message-ID: <87347.954844797@axl.ops.uunet.co.za> In-Reply-To: Your message of "Mon, 03 Apr 2000 21:48:13 MST." <200004040448.e344mDn01205@cytosine.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 03 Apr 2000 21:48:13 MST, Bhishan Hemrajani wrote: > I have a problem with user's passwords on my system. I'm not sure if > it is an error in my setting up FreeBSD, or a security hole. It's as much of a security hole as the difference between 10 character passwords and 8 character passwords. Theoretically huge, practically insignificant. :-) > What happens is, I set a password for a user that is 10chars > long. But, when I login, I can just enter 8chars and anything after > that, or just the 8chars and it will let me log in. Yes. You're using the DES encryption scheme instead of the MD5 scheme. While MD5 does allow longer passwords, DES has the advantage of being cross-platform -- e.g. you can copy crypted passwords between FreeBSD boxes and SUN boxes. > My hunch is that I should use a different encryption scheme for > /etc/master.passwd I'd recommend that you spend some time thinking about the difference it actually makes. In the real world, the biggest problem is not the length of a password, but the ease with which it may be guessed by testing it against common permutations of dictionary words. I'd suggest that, unless you host an enormous number of shell users, you're probably better off educating the users you do have regarding the safe selection of passwords. If you like, you can direct them to http://people.freebsd.org/~sheldonh/passwords.html which is taken from the security FAQ supplied with Alec Muffett's Crack utility (available in the FreeBSD ports tree, described at http://www.freebsd.org/ports/). Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87347.954844797>