Re: Password encoding
From: Kris Kennaway (kris@freebsd.org)
Date: 09/26/02
- Next message: Todor Genov: "Re: Password encoding"
- Previous message: Erick Mechler: "Re: Password encoding"
- In reply to: Nomad: "Password encoding"
- Next in thread: Dmitry Agafonov: "Re: Password encoding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Sep 2002 15:34:08 -0700 From: Kris Kennaway <kris@freebsd.org> To: Nomad <mailman@crypton.pl>
On Thu, Sep 26, 2002 at 12:17:19AM +0200, Nomad wrote:
> Hello
>
> I'v upgraded my FreeBSD to 4.6.2 some time ago. Since that day I added some new accounts to my system. Everything was OK but... But some beautifull day I made mistake and I wrote shorter password than the good one. And what happend ? System let me in after succesful authorization !!!
> So I made small investigation. And what I found: new auth_default value in my system is DES !!! And my password on new accounts are only 8 characters long !!!
> If you'v done the same check your master.passwd if there are some DES encoded passwords. Because 8 character password without right password policy (with short paswords in mind) are VERY easy to brake. I know, I don't have to say that on this list, but writting about fundamental things is never in off.
This is a documented limitation in DES password hashing. You should
only use it if you need to maintain backwards compatibility of your
password file with a legacy application/system.
Kris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Todor Genov: "Re: Password encoding"
- Previous message: Erick Mechler: "Re: Password encoding"
- In reply to: Nomad: "Password encoding"
- Next in thread: Dmitry Agafonov: "Re: Password encoding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
