Date: Sat, 16 Apr 2005 15:06:09 +0200 From: Anthony Atkielski <atkielski.anthony@wanadoo.fr> To: freebsd-questions@freebsd.org Subject: Re: Encryption of login passwords--where and how is it done? Message-ID: <956136323.20050416150609@wanadoo.fr> In-Reply-To: <42610AC3.4090202@makeworld.com> References: <1197988274.20050416123145@wanadoo.fr> <42610AC3.4090202@makeworld.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris writes: > Ummm - Somehow, somewhere, I was always taught that the longer the > password, the better. So, how can a short passward (say 10 bytes) be as > secure as a 128 byte? It depends on how the password is encrypted and stored. A short, random password may be more secure than a long, less-random password--especially if the password logic discards all characters beyond a certain point, or doesn't hash the entire password in a way that maximizes the extraction of entropy from the password. For example, on a system that uses only the first eight bytes of a password, you'd want a pretty random string of eight bytes, like "uhhxuapo48", but on a system that accepts 128 bytes and pumps them through a message digest algorithm to maximize the amount of randomness it extracts from the string, you could use something like "tiles cloven thru *STARZ/, and zen pop-tarts conceal," and get something that is both easier to remember _and_ more secure (because it provides more bits of entropy if properly processed). -- Anthony
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?956136323.20050416150609>