From owner-freebsd-security Wed Sep 25 15:17:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D41E637B44B for ; Wed, 25 Sep 2002 15:17:21 -0700 (PDT) Received: from mail.crypton.pl (ns.crypton.pl [195.216.109.11]) by mx1.FreeBSD.org (Postfix) with SMTP id 7B41D43E4A for ; Wed, 25 Sep 2002 15:17:20 -0700 (PDT) (envelope-from mailman@mail.crypton.pl) Received: (qmail 63335 invoked by uid 1017); 25 Sep 2002 22:17:19 -0000 Date: Thu, 26 Sep 2002 00:17:19 +0200 From: Nomad To: freebsd-security@freebsd.org Subject: Password encoding Message-ID: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added some new accounts to my system. Everything was OK but... But some beautifull day I made mistake and I wrote shorter password than the good one. And what happend ? System let me in after succesful authorization !!! So I made small investigation. And what I found: new auth_default value in my system is DES !!! And my password on new accounts are only 8 characters long !!! If you'v done the same check your master.passwd if there are some DES encoded passwords. Because 8 character password without right password policy (with short paswords in mind) are VERY easy to brake. I know, I don't have to say that on this list, but writting about fundamental things is never in off. So, if I am alone with this problem: I am sorry, I'v had to done some mistake. But if not: so, I think that we have to do something with this... I upgraded my FreeBSD by buildworld/installworld from sources. Regards Nomad -- [%% If you dance with devil %%] [%% you don't changing him. %%] [%% The devil is the one %%] [%% who is changing you. %%] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message