From owner-freebsd-security Wed Sep 25 15:34:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67A6F37B401 for ; Wed, 25 Sep 2002 15:34:10 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-165-226-88.dsl.lsan03.pacbell.net [64.165.226.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id B232243E77 for ; Wed, 25 Sep 2002 15:34:09 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0A4BA66B28; Wed, 25 Sep 2002 15:34:08 -0700 (PDT) Date: Wed, 25 Sep 2002 15:34:08 -0700 From: Kris Kennaway To: Nomad Cc: freebsd-security@freebsd.org Subject: Re: Password encoding Message-ID: <20020925223408.GA15793@xor.obsecurity.org> References: <20020925221718.GA63296@killer.crypton.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: <20020925221718.GA63296@killer.crypton.pl> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 26, 2002 at 12:17:19AM +0200, Nomad wrote: > Hello >=20 > I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added so= me new accounts to my system. Everything was OK but... But some beautifull = day I made mistake and I wrote shorter password than the good one. And what= happend ? System let me in after succesful authorization !!! > So I made small investigation. And what I found: new auth_default value i= n my system is DES !!! And my password on new accounts are only 8 character= s long !!! > If you'v done the same check your master.passwd if there are some DES enc= oded passwords. Because 8 character password without right password policy = (with short paswords in mind) are VERY easy to brake. I know, I don't have = to say that on this list, but writting about fundamental things is never in= off. This is a documented limitation in DES password hashing. You should only use it if you need to maintain backwards compatibility of your password file with a legacy application/system. Kris --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9kjnfWry0BWjoQKURAshcAKCILpzDGF9gkUJU++HQlG9Nwxy38QCePx/b 34/90GWzCDjSq28ZDEwpQ4M= =VFDS -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message