News Group Posts

Significant characters in password

You wouldn't think that increasing password security would necessarily cause a confusing login problem, but it did.

What happened was this: users were, in fact, using longer passwords, but the system was set to only pay attention to the first eight characters. When this was changee, users who were using the longer passwords now suddenly could not log in.

From: spcecdt@deeptht.armory.com. (John DuBois)
Newsgroups: comp.unix.sco.misc
Subject: Re: password bug!
Date: Tue, 13 Apr 1999 01:05:36 GMT
Message-ID: <923965536.008.103@news.remarQ.com> 
References: <j0pQ2.22087$LX.8581155@WReNphoon3> 

In article <j0pQ2.22087$LX.8581155@WReNphoon3>,
clive keough <clivekeough@yahoo.com> wrote:
>Although I've never seen it posted. Is it well known that only the
>first 8 characters of the password count on SCO openserver. It doesn't
>just occur on one machine or one version here either. I wasn't aware
>that this was a problem/bug and I've not seen it written elsewhere.

Only the first 8 characters count *by default*.  It's easy to change.  The part
of a password that is significant is set in "segments" of 8 characters.  To
e.g. increase the significant length to 32 characters, do (on a 5.0 system):

usermod -D -x '{passwdSignificantSegments 4}'

MAJOR caveat:
Only the significant part of a password is stored, AND only the significant
part is compared.  So, if you have the significant segments set to 1, you may
have users using >8-character passwords; the password routines just ignore the
extra characters.  But when you increase the significant segments beyond 1,
suddenly all those users will not be able to log in... because now more than
8 characters of the password they enter are being compared against the 8
characters stored in the password database.  I learned this the hard way when
I bumped segments up from 1 to 4 shortly after moving from XENIX to UNIX.
The solution was to put a notice in /etc/issue.  These days you'd do better
to put it in BANNER in /etc/default/issue.

        John
-- 
John DuBois    spcecdt@armory.com.    KC6QKZ   http://www.armory.com./~spcecdt/

1 comment

More Articles by Tony Lawrence - Find me on Google+

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.