Re: A question about passwords and login/authentication
From: Glynn Clements (glynn_at_gclements.plus.com)
Date: Sat, 12 Mar 2005 20:11:27 +0000 To: "Roman L. Daszczyszak II" <firstname.lastname@example.org>
Roman L. Daszczyszak II wrote:
> I have heard that many *nix flavors used to default to using DES as
> their password storage algorithm, but recently many Linux flavors tend
> to use MD5 hashes instead, which are more secure to brute force attacks.
> What I'm wondering is how long can a Linux password be?
Long enough. An MD5 hash is only 128 bits long, so there is no point
having a password with more than 128 bits of entropy (equivalent to 16
random bytes or 25 characters randomly selected from [a-z0-9]).
> Can it use extended characters (like Windows Alt-# feature) in it's
> passwords and if so, how do you use them (aka if they aren't on the
So far as the applicable library routines are concerned, a password
can be any sequence of non-NUL bytes. However, if you use control
codes or characters outside of the 7-bit range, you may have problems
E.g. the library functions will allow you to have LF or CR characters
in a password, but you may not be able to enter them at a terminal
login prompt or in a GUI login dialog.
Also, some terminals (or GUI login programs) may represent non-ASCII
characters using ISO-8859-1 whereas others may use UTF-8. The library
functions deal with the raw bytes, not their interpretations as
characters, so if you set a password containing non-ASCII characters
on a terminal which uses ISO-8859-1, you won't be able to log in on a
terminal which uses UTF-8.
> Additionally I have heard that an MD5 hash has no limit to the amount it
> can hash (iow an unlimited length password) but somewhere in the Linux
> authentication it is set to a length of 256. What imposes this length
> of password?
There is no point in having a 256-byte password; as the hash is only
128 bits, there would be many shorter passwords with exactly the same
-- Glynn Clements <email@example.com>