Re: Shadow Passwords
Ian Jackson:
> Well, speaking as one of those `some people', I'd like to point out
> that things like the recent security hole in login where typing in a
> long username would cause a buffer overrun don't exactly give me great
> confidence in the implementation quality.
Indeed.
I'm neutral about shadow passwords myself, but there are a couple of
things I dream about, some of which shadows provide:
Long passwords, with a maximum of at least 128 characters.
I much prefer a passphrase, since it is easier to remember than
a password.
Long usernames; my last name is longer than 8 characters, and I
hate to have it truncated. This is also required for the
next step.
8-bit clean usernames and passwords, preferably by encoding
them both with the UTF-2 encoding of Unicode.
That last one, especially, is a bit of problem to implement...
All of these, I realize, make things difficult for people in a networked
environment, so they would have to be made optional.
Reply to: