From owner-freebsd-stable  Thu Mar 19 15:39:52 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA00152
          for freebsd-stable-outgoing; Thu, 19 Mar 1998 15:39:52 -0800 (PST)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29889;
          Thu, 19 Mar 1998 15:39:11 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from trojanhorse.pr.watson.org (trojanhorse.pr.watson.org [192.0.2.10]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id SAA24515; Thu, 19 Mar 1998 18:38:43 -0500 (EST)
Date: Thu, 19 Mar 1998 18:37:24 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@trojanhorse.pr.watson.org
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: Tom <tom@uniserve.com>
cc: Richard Stanaford <richard@cube3.erinet.com>,
        "Randy A. Katz" <randyk@ccsales.com>, questions@FreeBSD.ORG,
        freebsd-stable@FreeBSD.ORG
Subject: Re: Password Characters Not Required???
In-Reply-To: <Pine.BSF.3.96.980319151824.21872A-100000@shell.uniserve.com>
Message-ID: <Pine.BSF.3.96.980319183112.12515B-100000@trojanhorse.pr.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk

On Thu, 19 Mar 1998, Tom wrote:

> > >   Indeed it is normal.  FreeBSD takes only the first 8 significant
> > > characters and then truncates the rest.  This is not FreeBSD specific. 
> > > BSDI is the same way, along with Solaris and other flavors of Unix, I
> > > believe.   
> > 
> > However, BSD/OS allows you to modify the max password length for
> > userclasses, up to 128 characters I think?  Similarly, the password
> 
>   This is for user entry purposes.  FreeBSD has it to.  It has nothing to
> do with how many password characters might be significant.

Actually, I believe it does actually reflect significant characters.  On a
BSD/OS 3.1 machine, we have the max password length turned way up, and
shorter passwords (but above 16 char, say) just don't cut it.  These
really are significant characters :).

>From BSD/OS login.conf(0):

     widepasswords      bool         false     Use the new wide password
                                               format when using the
                                               passwd(1) utility.  The
                                               wide password format al-
                                               lows up to 128 signifi-
                                               cant characters in the
                                               password.

Sounds fun to me.  Definitely not good in a mixed-OS passwd environment,
but good for plain BSD machines. :)

> > behavior here is a function of the crypt() used -- with Kerberos, you get
> > whatever the Kerberos behavior is -- it certainly has more significant
> > characters, however.  I would personally like to see change in behavior
> > here, perhaps as a login.conf option similar to BSD/OS.  I don't see one
> > in the -stable login.conf man page, however.
> 
>   md5 also has more significant characters (16 I believe).  In many ways,
> the "secure" (DES) distribution is actually less secure than the default
> md5.

Yes, it is 16 characters.

  Robert N Watson 

Carnegie Mellon University http://www.cmu.edu/
SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message