Penetration Testing mailing list archives
Re: Article / Document about passwords vs. passphrases
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Thu, 02 Nov 2006 08:59:39 +0100
Salut, On Tue, 2006-10-31 at 14:01 +0200, Florian Rommel wrote:
also someone said that only the most recent version of linux allow you to have long passwords, according to my memory, this has worked already for a looong time (i remember i used a long password quite a few years back already) so any info on that would be good too.
The reason is simple and has different results than you might think. The problem is that the crypt() function was used as a hashing algorithm. Now, crypt() is just a 56 bit cipher, so what it does is it takes the first 7 bytes of input and the first 7 bytes of the key and DES encrypts it. Thus, if you had a password longer than 7 characters, you could have entered anything just as long as the first 7 characters were equal. As an example: If your password was "alamakota", then you could have entered "alamakori" and still be logged in. Or simply "alamako". Tonnerre -- SyGroup GmbH Tonnerre Lombard Lösungen mit System Tel:+41 61 333 80 33 Röschenzerstrasse 9 Fax:+41 61 383 14 67 4153 Reinach BL Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Article / Document about passwords vs. passphrases Spam (Nov 01)
- <Possible follow-ups>
- Re: Article / Document about passwords vs. passphrases Myke Lyons (Nov 01)
- Re: Article / Document about passwords vs. passphrases Tonnerre Lombard (Nov 02)