9 character passwords do not seem to work
Stephen Langasek
vorlon at netexpress.net
Fri Oct 15 22:44:49 GMT 1999
On Sat, 16 Oct 1999 Paul L. Lussier wrote:
>> Dear all
>> We have sambe 2.0.0 we cant use 2.0.4b(clearcase problem with this version)
>> on hpux 10.20
>> a user changed their password from a 8 character password to a 9
>> character password.
>> They now can not use theie samba share unless they only type the first 8
>> letters of the 9 letter password
>> Any ideas ???
> Yeah, change the password back to 8 characters. Unix will only recognize the
> first 8 unique characters of a password. So, technically, 'password1' and
> 'password2' would both be interpreted as 'password'.
> I'm not positive this is also true for HP-UX, but I know it is for SunOS,
> Solaris, and Linux.
This is an untrue generalization. Unix systems *using crypt() for password
encryption* are limited to an 8-character password length, but this is the
far low end of the security spectrum on modern Unix systems. Most Unix
vendors supply alternate password encryption methods. bigcrypt() and
crypt16() are popular with commercial vendors; on Linux, md5 seems to be the
most popular, and md5 doesn't impose limits on password length.
Recent versions of GNU libc even support these various types of encryption
natively through the crypt() function.
If you have a Unix system that still has an 8-char limit on passwords, I
suggest looking into improving security on the system, as compromising
these passwords is fairly trivial if someone gets ahold of the password
database.
-Steve Langasek
postmodern programmer
More information about the samba
mailing list