Subject: Re: length of password under netbsd-current
To: None <current-users@NetBSD.ORG>
From: der Mouse <mouse@Collatz.McRCIM.McGill.EDU>
List: current-users
Date: 07/04/1996 06:55:46
> [from "man passwd"]
> The new password should be at least six characters long and not
> purely alphabetic.  Its total length must be less than _PASSWORD_LEN
> (currently 128 characters).  Numbers, upper case letters and meta 
> characters are en-couraged.
> [end extract]

> Then I would like to ask a question, what is the length of password
> should be 8 or less than 128 characters.

Passwords can be any length from one (or possibly zero) up to the
_PASSWORD_LEN define.  As a matter of good security, rather than
technical requirements, they should be at _least_ six characters long,
preferably more, and mixed-case and non-alphabetic characters are good.
(Both of these make dictionary attack harder, that's why they're good.)

This is if you're using one of the modern password hashing algorithms.
If you're using old "compatible" hashes, which AFAIK NetBSD uses only
when doing YP passwords or if explicitly told to, then it behaves
compatibly with traditional password hashing, which means it ignores
everything after the first eight characters.  (This is necessary to be
compatible with other software, unfortunately including a lot of vendor
OSes, that hash passwords that way.  When sharing password databases,
as with YP, the password hash algorithm has to be compatible across all
machines sharing the database.)

					der Mouse
		    01 EE 31 F6 BB 0C 34 36  00 F3 7C 5A C1 A0 67 1D