on Tue, Dec 16, 2003 at 05:34:02PM -0600, Jacob S. (stormspotter@6texans.net) wrote:
> On Tue, 16 Dec 2003 20:22:03 -0300
> Diego Crivelli <dcrivelli@com.uncor.edu> wrote:
>
> <snip>
> > I created a user on my woody box with adduser and when prompted for
> > the password I wrote a word with more than 8 characters. But I can
> > login by supply only the first 8 characters. I tried changing the
> > 'maxlength' value on login.defs, didn't work. So, how can I use
> > passwords of more than 8 characters?. Thanks.
> <snip>
>
> Howdy Diego,
>
> As root, run "dpkg-reconfigure passwd". It will bring up a dialog box
> asking if you want to enable md5 passwords - answer Yes, and then it
> will allow you to use passwords longer than 8 characters.
$ man 3 crypt
Explanation being: the default "crypt" Unix passwords (used for
compatibility and tradition) only encode the first 8 bytes of a
password (low 7 bits of each character, 56 bits), along with a two byte
"salt" (4096 possible values).
In the past week or so, a project has demonstrated that it's possible to
effectively precompute all crypted, salted values on reasonably attainable
hardware, making brute forcing passwords possible:
http://slashdot.org/article.pl?sid=03/12/08/192205
http://security.sdsc.edu/publications/teracrack.pdf
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
We are the unwilling... led by the unqualified... to do the
unnecessary... for the ungrateful...
-- GI in Vietnam, 1970
Attachment:
pgpQzn2hTKPCj.pgp
Description: PGP signature