Date: Wed, 25 Sep 2002 15:34:08 -0700 From: Kris Kennaway <kris@freebsd.org> To: Nomad <mailman@crypton.pl> Cc: freebsd-security@freebsd.org Subject: Re: Password encoding Message-ID: <20020925223408.GA15793@xor.obsecurity.org> In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> References: <20020925221718.GA63296@killer.crypton.pl>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Thu, Sep 26, 2002 at 12:17:19AM +0200, Nomad wrote: > Hello > > I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added some new accounts to my system. Everything was OK but... But some beautifull day I made mistake and I wrote shorter password than the good one. And what happend ? System let me in after succesful authorization !!! > So I made small investigation. And what I found: new auth_default value in my system is DES !!! And my password on new accounts are only 8 characters long !!! > If you'v done the same check your master.passwd if there are some DES encoded passwords. Because 8 character password without right password policy (with short paswords in mind) are VERY easy to brake. I know, I don't have to say that on this list, but writting about fundamental things is never in off. This is a documented limitation in DES password hashing. You should only use it if you need to maintain backwards compatibility of your password file with a legacy application/system. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9kjnfWry0BWjoQKURAshcAKCILpzDGF9gkUJU++HQlG9Nwxy38QCePx/b 34/90GWzCDjSq28ZDEwpQ4M= =VFDS -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020925223408.GA15793>