tech-security: Re: Longer passwords

Subject: Re: Longer passwords
To: None <tech-security@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-security
Date: 09/17/2000 19:41:16
  by mail.netbsd.org with SMTP; 17 Sep 2000 23:41:41 -0000
	id 222904; Sun, 17 Sep 2000 19:41:16 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
From: woods@weird.com (Greg A. Woods)
To: tech-security@netbsd.org
Subject: Re: Longer passwords
In-Reply-To: <20000917160757.A10312@antioche.eu.org>
References: <39C277982A5.6FF4ADMIN@mail.cordef.com.pl>
	<20000917160757.A10312@antioche.eu.org>
Reply-To: tech-security@NetBSD.ORG (NetBSD Security Technical Discussion List)
Organization: Planix, Inc.; Toronto, Ontario; Canada
Message-Id: <20000917234116.222904@proven.weird.com>
Date: Sun, 17 Sep 2000 19:41:16 -0400 (EDT)

[ On Sunday, September 17, 2000 at 16:07:57 (+0200), Manuel Bouyer wrote: ]
> Subject: Re: Longer passwords
>
> On Fri, Sep 15, 2000 at 09:25:12PM +0200, Andrzej Wójkowski  wrote:
> > Hi all
> > I've got NetBSD 1.4.1 version for pmax. My problem is, that on my system
> > passwords are only 8-chars long. I tried to set lonnger passwords in
> > passwd command, but computer logs me in after 8 chars typed. Are there
> > any way to change it
> 
> No, passwds are effectively limited to 8 chars (for now).

Yeah, which is really sad because <pwd.h> has had a ``#define
_PASSWORD_LEN 128'' in it ever since at least 4.3BSD, and it has been
used correctly everywhere necessary since 4.3 too, except crypt()...

I thought there was a proposal afoot at one point to simply keep
re-encrypting the previous result with the next 8 bytes until a NUL was
encountered in the first byte (and of course first filling the buffer
with all NULs).  However I haven't seen anything of this recently.

Of course it would also be really cool if NetBSD would adopt the MD5
scheme used by the other *BSDs....

All of this stuff, including my patches to integrate libcrack, should
have been in well before 1.5 was even branched!  It's not like the code
hasn't been available for long enough.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>