From owner-freebsd-questions  Tue Apr  4  3:40:19 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from axl.ops.uunet.co.za (axl.ops.uunet.co.za [196.31.1.175])
	by hub.freebsd.org (Postfix) with ESMTP id AFF6F37B7A2
	for <freebsd-questions@freebsd.org>; Tue,  4 Apr 2000 03:40:10 -0700 (PDT)
	(envelope-from sheldonh@axl.ops.uunet.co.za)
Received: from sheldonh (helo=axl.ops.uunet.co.za)
	by axl.ops.uunet.co.za with local-esmtp (Exim 3.13 #1)
	id 12cQkX-000Miq-00; Tue, 04 Apr 2000 12:39:57 +0200
From: Sheldon Hearn <sheldonh@uunet.co.za>
To: Bhishan Hemrajani <bhishan@cytosine.dhs.org>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: only 8 chars of password needed to login 
In-reply-to: Your message of "Mon, 03 Apr 2000 21:48:13 MST."
             <200004040448.e344mDn01205@cytosine.dhs.org> 
Date: Tue, 04 Apr 2000 12:39:57 +0200
Message-ID: <87347.954844797@axl.ops.uunet.co.za>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Mon, 03 Apr 2000 21:48:13 MST, Bhishan Hemrajani wrote:

> I have a problem with user's passwords on my system. I'm not sure if
> it is an error in my setting up FreeBSD, or a security hole.

It's as much of a security hole as the difference between 10 character
passwords and 8 character passwords.  Theoretically huge, practically
insignificant. :-)

> What happens is, I set a password for a user that is 10chars
> long. But, when I login, I can just enter 8chars and anything after
> that, or just the 8chars and it will let me log in.

Yes.  You're using the DES encryption scheme instead of the MD5 scheme.
While MD5 does allow longer passwords, DES has the advantage of being
cross-platform -- e.g. you can copy crypted passwords between FreeBSD
boxes and SUN boxes.

> My hunch is that I should use a different encryption scheme for
> /etc/master.passwd

I'd recommend that you spend some time thinking about the difference
it actually makes.  In the real world, the biggest problem is not the
length of a password, but the ease with which it may be guessed by
testing it against common permutations of dictionary words.  I'd suggest
that, unless you host an enormous number of shell users, you're probably
better off educating the users you do have regarding the safe selection
of passwords.

If you like, you can direct them to

	http://people.freebsd.org/~sheldonh/passwords.html

which is taken from the security FAQ supplied with Alec Muffett's
Crack utility (available in the FreeBSD ports tree, described at
http://www.freebsd.org/ports/).

Ciao,
Sheldon.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message