topic Re: Password Lengths in Operating System - HP-UX

Password Lengths

Karen Powers_1 — Tue, 19 Aug 2003 17:11:22 GMT

Hello,
I am trying to find out how to see what the max password length is set to on a trusted HPUX 11 system. I see that it can be up to 40 characters however, when we try to connect to the HP with client software, it will not see more than the first 8 characters.
Thanks!

Re: Password Lengths

Pete Randall — Tue, 19 Aug 2003 17:14:29 GMT

Karen,

This question has come up many times in the forums and the answer is always the same: you are best off if you stick to an 8 character password. Exceeding 8 characters is possible, but the results are generally unfavorable.

Pete

Re: Password Lengths

Pete Randall — Wed, 12 Mar 2025 06:08:20 GMT

Karen,

Here's an example:

~~http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xdd20aaf9f7b2d711abdc0090277a778c,00.html~~

Pete

[Moderator edit: The above link is no longer valid. ]

Re: Password Lengths

Darren Prior — Wed, 20 Aug 2003 08:01:25 GMT

Hi Karen,

As you can see in the thread Pete pointed to it is possible to have far longer passwords on a trusted system than the 8 character limit for non-trusted.

If you attempt to logon from the console you should have no problem with longer passwords (well, other than remembering them!) However, it sounds like your client software isn't suited for use with a trusted system. If it only allows you to type in 8 chars it suggests that it isn't even aware of the trusted system's abilities.

Is your client software a terminal or screen emulator, or is it a separate application? I'd expect an emulator to present a prompt for the password which it sends in return, whereas an application might authenticate itself - in which case it needs to know the difference between the trusted and non-trusted system calls required for authentication.

To summarise: ask the client software vendor if it supports connecting to a trusted system.

regards,

Darren

Re: Password Lengths

twang — Wed, 20 Aug 2003 08:06:54 GMT

On a trusted system, you can set the the minimum lenght of password through parameter in the /etc/default/security:

MIN_PASSWORD_LENGTH = 8

Re: Password Lengths

Karen Powers_1 — Wed, 20 Aug 2003 12:36:53 GMT

Thanks to everyone for their replies. The client application works on many different platforms and has no character length limitation in the password field. My customer's machine is set up in trusted mode. For what ever reason, on hp only, the HP server only sees the first 8 characters. I am trying to figure out if it is something in our client software that is the problem or if it is something setup incorrectly on the customer's HP machine. Our client application is written in VB.
Thanks again!
Karen

Re: Password Lengths

Darren Prior — Wed, 20 Aug 2003 12:46:28 GMT

Hi Karen,

If you can pick out the section of VB code that is responsible for the initial connection and authenticating, please post it - I may be able to help.

regards,

Darren.

Re: Password Lengths

Nat Guyton — Wed, 20 Aug 2003 13:15:37 GMT

First see if simple telnet gives the same problem. If not, it's probably your VB code. If so, it's system-related and don't waste time looking at the VB code until it works with telnet.

Re: Password Lengths

Karen Powers_1 — Thu, 21 Aug 2003 01:27:27 GMT

Thanks Darren,
Here is what I got from the engineer. He says it's a stripped down version of the code but this is basically what it does. He also put his own comments below the code. Thanks again!:

if((shadow_fields = getspnam(mypwent->pw_name)) != NULL)
checkpass = shadow_fields->sp_pwdp;

if (checkpass == NULL)
checkpass = mypwent->pw_passwd;

cryptedpass = crypt(passwdtext, checkpass);
if (strcmp(cryptedpass, checkpass))
{
return(80011);
}

Basically we are using the standard api calls we use for hp systems,
this code has been working since HPUX went to shadow files. We do not
truncate the password before getting here and all the access to the
system goes thou this one piece of code. If they need us to use new or
extended api calls to run on trusted system then we would recommend
using DS 7.0 when it comes out and configuring the security PAM option
for the product this can be made to use standard UNIX login that should,
if HP have done it right, handle the trusted and untrusted cases without
us having to write specific code for trusted systems.

Re: Password Lengths

Karen Powers_1 — Thu, 21 Aug 2003 15:42:33 GMT

OK, I think now I may have the answer to my own question. We are using crypt. It appears that on a trusted system, we need to use bigcrypt to get the longer passwords. Is this correct?
Thanks!
Karen

Re: Password Lengths

Darren Prior — Thu, 21 Aug 2003 16:04:56 GMT

Hi Karen,

yes - bigcrypt is used on trusted systems. Have you previously only had people using short passwords, as you mentioned that this had been working since shadow passwords came out?

regards,

Darren.

Re: Password Lengths

Karen Powers_1 — Thu, 21 Aug 2003 17:21:11 GMT

Hi Darren,
Well, the engineer says that but I have been supporting this product for ages and I know this has been an issue for quite some time. We just must not have many customers that use more than 8 characters. No one, up until the other day, really pushed the issue. Thank you very much for all your time!
Regards,
Karen