Subject: Re: 8+ chars in login
To: mocha <>
From: Steven M. Bellovin <>
List: netbsd-users
Date: 03/09/2000 10:29:15
In message <>, mocha writes:
> i just checked the 1.4.2 source and you are right. utmp.h
> #define UT_NAMESIZE     8
> #define UT_LINESIZE     8
> #define UT_HOSTSIZE     16
> as Ron Roskens stated earlier, MAXLOGNAME is defined as 16 in 
> /usr/include/sys/param.h
> #define MAXCOMLEN       16              /* max command name remembered */
> since we are going to have to go through many files to make them call 
> compliant, could we just change it to 32 chars? (please?)
> most users are used to being able to register with up to 32 characters and 
> having the passwd up to that size too.

A longer password is an entirely different issue -- that affects
an entirely different set of programs.  There is also then the
question of the new algorithm -- my off-hand suggestion (and I've
thought about this too little) would be the base-64 encoding of
SHA-1 of the salt -- a larger salt? -- concatenated with the typed

Better yet -- and this will require more thought still -- take that
160-bit string, treat it as the private key for DSS, and store the
corresponding public key.  That way, the same stored password can
be used for challenge/ response login as well as conventional
plaintext password login.

One can go a lot further down this path, but if you go very much
further you're likely to trip over patents, including some of mine
(though those are now owned by Lucent).  See, for example, and (both are patented).