Re: A question about passwords and login/authentication

From: Glynn Clements (glynn_at_gclements.plus.com)
Date: 03/12/05

  • Next message: Pavol Luptak: "Re: A question about passwords and login/authentication" 
    Date: Sat, 12 Mar 2005 20:11:27 +0000
To: "Roman L. Daszczyszak II" <romandas@gmail.com>

    Roman L. Daszczyszak II wrote:

    > I have heard that many *nix flavors used to default to using DES as
    > their password storage algorithm, but recently many Linux flavors tend
    > to use MD5 hashes instead, which are more secure to brute force attacks.
    >
    > What I'm wondering is how long can a Linux password be?

    Long enough. An MD5 hash is only 128 bits long, so there is no point
    having a password with more than 128 bits of entropy (equivalent to 16
    random bytes or 25 characters randomly selected from [a-z0-9]).

    > Can it use extended characters (like Windows Alt-# feature) in it's
    > passwords and if so, how do you use them (aka if they aren't on the
    > keyboard)?

    So far as the applicable library routines are concerned, a password
    can be any sequence of non-NUL bytes. However, if you use control
    codes or characters outside of the 7-bit range, you may have problems
    entering them.

    E.g. the library functions will allow you to have LF or CR characters
    in a password, but you may not be able to enter them at a terminal
    login prompt or in a GUI login dialog.

    Also, some terminals (or GUI login programs) may represent non-ASCII
    characters using ISO-8859-1 whereas others may use UTF-8. The library
    functions deal with the raw bytes, not their interpretations as
    characters, so if you set a password containing non-ASCII characters
    on a terminal which uses ISO-8859-1, you won't be able to log in on a
    terminal which uses UTF-8.

    > Additionally I have heard that an MD5 hash has no limit to the amount it
    > can hash (iow an unlimited length password) but somewhere in the Linux
    > authentication it is set to a length of 256. What imposes this length
    > of password?

    There is no point in having a 256-byte password; as the hash is only
    128 bits, there would be many shorter passwords with exactly the same
    hash. 

    -- 
Glynn Clements <glynn@gclements.plus.com>
  • Next message: Pavol Luptak: "Re: A question about passwords and login/authentication"

    Relevant Pages

    • Re: Terminal IBM 3489 and Linux
      ... > to my PC running Linux. ... > terminal in a Linux machine. ... by connector) from the more common computer terminals. ... characters over async RS232 sending incremental characters. ...
      (comp.os.linux.hardware)
    • Re: Reg multilanguage support by gnuplot
      ... So far as I know, Matsuda's postscript example used EUC encoding, not utf8. ... Your original query was about an EUC font. ... Unicode is an assignment of "all" characters to unique ... # Test of UTF-8 support by gnuplot terminals. ...
      (comp.graphics.apps.gnuplot)
    • Re: remote [ssh] Backspace] key gives me "^?"
      ... I tend to guess you're using a terminal emulator from within X when ... unicode characters). ... It's because the TERM'inal emulation / keyboard layout's not ... I had this on BSDi terminals for ages and had something in my ...
      (freebsd-questions)
    • Re: Base36
      ... static string tokens = ... But - I don't think you want all those silly characters in the product key. ... I should be able to recalc the hash at the client ... > conversion to long so I can pass each long to the BaseXX converter to get ...
      (microsoft.public.dotnet.languages.csharp)
    • Re: How to omit blank spaces in the text?
      ... Set adoPrimaryRS = New Recordset ... you're best to read the characters one by one and ... When the password is first created you calculate the hash and store ... then it is almost certain the entered password is correct. ...
      (microsoft.public.vb.general.discussion)