Re: passwords and crypt?

To: Roger Keays <rogerk@ieee.org>
Cc: <debian-security@lists.debian.org>
Subject: Re: passwords and crypt?
From: Mike Dresser <mdresser@windsormachine.com>
Date: Thu, 29 Nov 2001 10:42:53 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.33.0111291038550.14830-100000@router.windsormachine.com>
In-reply-to: <[🔎] 3C06462A.1080705@ieee.org>

On Fri, 30 Nov 2001, Roger Keays wrote:

>
> Hi all,
>
> I'm not sure if this is common knowledge or not, but I have just noticed
> the effects of having the first two letters of your password the same as
> the first two in your login name... You can use any extension of your
> password!!
>
> e.g., on my Woody box I added a user called 'ron' and his password was
> 'roniosko'. He could login in with 'ronioskos', 'ronioskoasdfasd' and so
> forth!
>
All the ones you tried are all over 8 letters, I bet?

My guess is you're using DES.  DES only allows up to 8 letter passwords.
Check your /etc/pam.d, look at login and passwd in there

If you add a md5 at the end of the line that handles passwords, this will
enable md5, which allows longer passwords.  This is backwards compatible
in that your existing passwords will still work.  Once you change it or
add another user, it will use md5.

If you look at /etc/shadow, you can see the difference.  MD5 passwords
start with a $1 in the password field.  DES don't, and are slightly
shorter hashes.

Debian 2.1 didn't use MD5 passwords, and there's no way to automatically
transfer forward to DES passwords.  It's an option on 2.2 and above, to
install MD5 passwords, you should.

Hope this helps,
Mike

Reply to:

Follow-Ups:
- Re: passwords and crypt?
  - From: Malcolm Ferguson <Malcolm_Ferguson@yahoo.com>

References:
- passwords and crypt?
  - From: Roger Keays <rogerk@ieee.org>

Prev by Date: Re: passwords and crypt?
Next by Date: Re: passwords and crypt?
Previous by thread: Re: passwords and crypt?
Next by thread: Re: passwords and crypt?
Index(es):
- Date
- Thread