Date: Tue, 2 May 2000 11:40:03 -0700 (PDT) From: Brooks Davis <brooks@one-eyed-alien.net> To: freebsd-bugs@FreeBSD.org Subject: Re: i386/18339: Password during Login Message-ID: <200005021840.LAA43668@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR i386/18339; it has been noted by GNATS. From: Brooks Davis <brooks@one-eyed-alien.net> To: sherwin@newpagcor.com Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: i386/18339: Password during Login Date: Tue, 2 May 2000 11:38:13 -0700 On Mon, May 01, 2000 at 11:11:46PM -0700, sherwin@newpagcor.com wrote: > > I found out that during login phase, FreeBSD does not check the > password if its longer than the stored password of the user against the > inputed one. This is a misstatement of the "problem". What is happening is that with the standard DES based UNIX password scheme, only the first 8 characters of the password are significant. What is happening is that there is no difference between "qwerty12" and "qwerty1234" because "qwerty1234" is truncated to "qwerty12". While this behavior may not be ideal in general, it is the correct behavior in that all UNIX and UNIX-like systems have the same behavior. Changing the password system to reject all passwords greater than 8 characters when using DES hashing would "fix" the problem, but would add no real security and would cause great confusion by changing years of standard behavior. I would recommend closing this PR. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005021840.LAA43668>