Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OpenSSH Password Question

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Sun, 10 Dec 2000 14:20:39 +0100
As a minor comment, I've heard some people (not in this ml) complain about
the fact that old fashion unix cuts passwords and think it would be a
great idea to update the old crypt to support longer DES passwords.

The reason why you don't want that is rather simple to show mathimaticaly.
Assume you use strong passwords with a-zA-Z0-9 and 8 characters long
passwords. You get 36^8 possible different passwords, which are hashed
into a 2^40 bit DES hash. But 36^8 / 2^40 = 2.6, meaning that each
checksum have multiple matches. The hash is no longer able to improve
security. Thats why we use MD5 instead :)


it's not a bug. it's not a missconfiguration.

traditionally unix allows users to enter more
than 8 characters, even if only the 1st 8 are
significant.

however, there are several systems supporting
passwords longer than 8 characters, e.g.
MD5 or blowfish based password systems.


..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe
Previous By Date Next
Previous By Thread Next

Current thread: