From owner-freebsd-security Mon Oct 4 12: 4:23 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 9BD371551C; Mon, 4 Oct 1999 12:03:39 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 8F9EE1CD473; Mon, 4 Oct 1999 12:03:39 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 4 Oct 1999 12:03:39 -0700 (PDT) From: Kris Kennaway To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Long username/password In-Reply-To: <3.0.5.32.19991004144542.010443b0@staff.sentex.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 4 Oct 1999, Mike Tancsa wrote: > >Don't install the DES libcrypt libraries; DES passwords are 8 characters, > >MD5 are (effectively) infinite. Long user names are already supported, I > >do believe. > > Infinite ? I thought they only honoured the first 16 chars in this case ? Well, I wasn't quite correct here. PASSWORD_LEN = 128 MD5 (i.e. crypt() if you don't have the DES libraries, or you're using my libcrypt replacement) just does a hash over whatever string is presented to it, which passwd(1) limits to a max of PASSWORD_LEN characters. crypt() can deal with effectively infinite passwords, but passwd(1) puts a wrapper around it. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message