Re: user passwords in SuSE 8.0

Subject: Re: user passwords in SuSE 8.0
From: Mike Tibor (tibor@lib.uaa.alaska.edu)
Date: Fri Aug 30 2002 - 17:58:14 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Adam Elkins: "Wine"
• Previous message: Greg Madden: "Re: user passwords in SuSE 8.0"
• In reply to: Greg Madden: "Re: user passwords in SuSE 8.0"
• Reply: Mike Tibor: "Re: user passwords in SuSE 8.0"
• Reply: Mike Tibor: "Re: user passwords in SuSE 8.0"

On 30 Aug 2002, Greg Madden wrote:

>
> On Fri, 2002-08-30 at 15:07, Justin Dieters wrote:
> >
> > I came across a curious (stupid?) limitation in SuSE 8.0.. User
> > passwords are limited to 8 characters. Trying to set up or change
> > passwords through Yast2 will not let you go more than 8 characters, and
> > when using 'passwd' at the command line, it simply says 'truncating
> > password to 8 characters'. Anyone out there know how to, or have any
> > ideas how to get around this so I can specify longer passwords?
> >
> > Thanks,
> > Justin
>
> I don't know if this is related, .. but during an install of Debian it
> asks to enable 'shadow' passwords.. this enables passwords of > 8
> characters.

Shadow passwords is really just a means of moving the encrypted password
strings out of /etc/passwd (which is and must be world readable), and into
/etc/shadow (which is not world readable). It doesn't have anything to do
with password length.

The password length thing is a DES vs. MD5 hashing issue. If your system
uses DES, you're stuck with passwords of 8 or less characters. MD5 allows
you to use passwords up to 128 characters (I think--not totally sure on
that) and is harder to brute-force than DES. You can tell if your system
uses MD5 by looking at either /etc/passwd or /etc/shadow (wherever your
passwords live). If you see something like this:

$1$YyT7Yod.$6C1lzQY1HLmYYAQUI8zaq0

in the password field, then it's using MD5.

If you have older systems which use DES, but which also use PAM, you may
be able to switch to MD5 by adding "md5" to the line that looks something
like this:

password required /lib/security/pam_pwdb.so nullok use_authtok shadow

This would need to be done for both "login" and "passwd". For example, on
RH 6.2, you would make the above modification on /etc/pam.d/login and
/etc/pam.d/passwd.

I don't know about other distros, but recent RH versions default to MD5.
I would highly suspect others would as well.

I haven't played with it for awhile, but the last time I installed
OpenBSD, it used blowfish instead of MD5 or DES. The encrypted password
string was huge, and would probably be extremely difficult to brute-force,
assuming one used a decent password. I don't know if it would allow for
>128 character passwords.

Mike

-- 
Mike Tibor         Univ. of Alaska Anchorage    (907) 786-1001 voice
Network Technician     Consortium Library         (907) 786-6050 fax
tibor@lib.uaa.alaska.edu       http://www.lib.uaa.alaska.edu/~tibor/
http://www.lib.uaa.alaska.edu/~tibor/pgpkey  for PGP public key
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Adam Elkins: "Wine"
• Previous message: Greg Madden: "Re: user passwords in SuSE 8.0"
• In reply to: Greg Madden: "Re: user passwords in SuSE 8.0"
• Reply: Mike Tibor: "Re: user passwords in SuSE 8.0"
• Reply: Mike Tibor: "Re: user passwords in SuSE 8.0"

This archive was generated by hypermail 2a23 : Fri Aug 30 2002 - 17:58:16 AKDT