[clue-tech] effective password length
David L. Anselmi
anselmi at anselmi.us
Thu Apr 15 22:19:47 MDT 2010
David L. Willson wrote:
> At RMSEL, a Linux Terminal Server school, they're noticing some password weirdness. Characters
> beyond x entered at the keyboard, or set in the password, are ignored.
>
> Anyone familiar with a "feature" that might cause that?
Sure, it's a feature of the password hasher. Solaris 8 only uses 8 characters, at least originally.
In Win NT, the LANMAN hashes split the password into two 7 character strings and hashed them
separately. If you entered something less than 14 the remainder was padded with null or something
that gave you a clue at breaking the hash.
This http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html
says that the DES hasher only uses 8 characters (probably because DES works on 64 bit blocks). I'd
guess that MD5 hashers don't limit the password length.
Dave
More information about the clue-tech
mailing list