Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Sep 2002 15:34:08 -0700
From:      Kris Kennaway <kris@freebsd.org>
To:        Nomad <mailman@crypton.pl>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Password encoding
Message-ID:  <20020925223408.GA15793@xor.obsecurity.org>
In-Reply-To: <20020925221718.GA63296@killer.crypton.pl>
References:  <20020925221718.GA63296@killer.crypton.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 

--G4iJoqBmSsgzjUCe
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 26, 2002 at 12:17:19AM +0200, Nomad wrote:
> Hello
>=20
> I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added so=
me new accounts to my system. Everything was OK but... But some beautifull =
day I made mistake and I wrote shorter password than the good one. And what=
 happend ? System let me in after succesful authorization !!!
> So I made small investigation. And what I found: new auth_default value i=
n my system is DES !!! And my password on new accounts are only 8 character=
s long !!!
> If you'v done the same check your master.passwd if there are some DES enc=
oded passwords. Because 8 character password without right password policy =
(with short paswords in mind) are VERY easy to brake. I know, I don't have =
to say that on this list, but writting about fundamental things is never in=
 off.

This is a documented limitation in DES password hashing.  You should
only use it if you need to maintain backwards compatibility of your
password file with a legacy application/system.

Kris

--G4iJoqBmSsgzjUCe
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9kjnfWry0BWjoQKURAshcAKCILpzDGF9gkUJU++HQlG9Nwxy38QCePx/b
34/90GWzCDjSq28ZDEwpQ4M=
=VFDS
-----END PGP SIGNATURE-----

--G4iJoqBmSsgzjUCe--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020925223408.GA15793>