Re: (no subject)

[Russell Coker <russell@coker.com.au>]

On Fri, 10 Mar 2000, Mark wrote:
>Not actually a bug, but a recommendation for later distributions
>security, i've noticed 2.1 only allows something along the lines of an 8
>character password. If someone were to get ahold of someone's username,
>which is easy to do, and they of course had some queer password guessing
>tool that tried all combinations within the 8 char limit, it'd be pretty
>easy to at least do that. I've tested other distributions like
>slackware, slack7 allows a 126 character password at max which is a
>really good thing. Just a recommendation.

If ther are 64 characters to use for a letter of a password (26 upper case,
26 lower case, numbers, and two punctuation characters) then 64^8 is
281474976710656 unique passwords.  If we include all the possible 7 character
passwords then the number is larger.
If you can try 1000 passwords a second then it would take 9000 years to try
all possible passwords, giving an average crack time of 4500 years.
If your system has a world-readable shadow file or some other mechanism that
allows the 10,000,000 password guesses per second necessary to crack
passwords then you have a bigger problem than an 8 character limit.

If you allow a 126 character password then you are absolutely guaranteed that
it will be stored in scripts which is less secure than a 6 character password
that is memorised.

Then of course there's the issue of "shoulder surfing".

-- 
My current location - X marks the spot.
X
X
X