HPE Community
Operating System - HP-UX
1846957 Members
4768 Online
110257 Solutions
New Discussion

Password length

 
SOLVED
Go to solution
Ngoh Chean Siung
Super Advisor

‎01-28-2005 03:35 PM

‎01-28-2005 03:35 PM

Password length

Hi,

I read from Administering a System: Managing System Security, found that

Q1)
"A password can have up to 80."
But thru SAM, I think we only can set up to 40, right?

Q2)
"In standard mode, only the first eight characters are used."
What is standard mode? Any others mode? How to check my system mode? If I have a password with 10 characters, it means that I only need to key the first 8 characters correctly even the last 2 characters wrong, the system still accept it?

regards.
0 Kudos
Reply
8 REPLIES 8
Patrick Wallek
Honored Contributor

‎01-28-2005 03:55 PM

‎01-28-2005 03:55 PM

Re: Password length

Regarding Q1 -- I'm not sure. I've never even thought about a password that long.

Regarding Q2 -- Standard mode means not a Trusted System. If you have encrypted passwords in the /etc/passwd file then your system is in standard mode. If you have the /tcb/files/auth directory structure then your system is trusted.

0 Kudos
Reply
Ravi_8
Honored Contributor

‎01-28-2005 06:00 PM

‎01-28-2005 06:00 PM

Re: Password length

Hi,

1) I haven't seen any people having 40 character long passwd ( must be having high flash memeory)

2)Standard mode --> Not trusted system
Standard passwd length is 8 characters only, even if it's morethan 8 characters, system will consider only the first 8 characters and rest will be ignored
never give up
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎01-29-2005 12:06 AM

‎01-29-2005 12:06 AM

Re: Password length

Hi,


I haven't seen any people having 40 character long passwd


Well, I _have_ seen 25+.

It was way back when, in the early 1980's, on VMS V3 systems.

We were trying to get the users just a little bit security-aware. When we started enforcing minimum 6-char passwords, there was a lot of complaining.

One user rose to our support, and explained why he used long passwords, and why he never forgot them.

The man was of Pakistan origin, and religious.
In his family there was a (habit? religious prescription?, I don't know) of a weekly changing line from the Q'ran as a (morning? evening? midday?) prayer. He transliterated the medieval Arabian text into western characters, and so achieved many goals in one:
He complied to the religous duty of seriously considering the text, he reminded himself of it at each login, and it was completely out of reach for everyone. Even after reading it, it was beyond reproducing!.

And he told it, just to illustrate to everyone that there exists some way of personal encryption that is quite inaccessable without the key, and in his case, the key itself was inaccessible too!.

But getting back at the quote: this guy DID complain that the maximum password length in those days was "only" 31 characters!

-- thanks for bringing up an old memory---


Proost.

Have one on me.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-29-2005 05:45 AM

‎01-29-2005 05:45 AM

Re: Password length

The man page for the security defaults (man security) states max password length = 80 while the man page for passwd recommends 40 or less. SAM is just using the recommendation as a maximum. You can set the minimum password length in the /etc/default/security file but the maximum is set with /usr/lbin/modprdef or in SAM (which is what SAM uses). By calling modprdef directly, you can set maxpwln to any value (like 500), but this is likely an unusable value. With 11.11 and higher, PAM (man pam) is used for authentication, but modprdef (currently) has no linkage to limitations in the PAM system, thus the value can be set to out of range values. That's one of the reasons there is no man page for modprdef (or getprdef) and that the command lives in /usr/lbin (backend commands designed only for use by SAM or other sysadmin tools).

This will set maxpwln to 80:

/usr/lbin/modprdef -m maxpwln=80

As with all backend commands, there are no guarentees that it will exist in a future release (although the XXXprdef commands have been in place since 10.01) or that there are appropriate checks on ranges and values.


Bill Hassell, sysadmin
0 Kudos
Reply
Ngoh Chean Siung
Super Advisor

‎01-30-2005 12:29 PM

‎01-30-2005 12:29 PM

Re: Password length

Hi,

My system already converted to tcb. Has set the minimum passwd to 8. Just wonder if I have a password with 10 characters, it means that I only need to key the first 8 characters correctly even the last 2 characters wrong, the system still accept it?

regards.

0 Kudos
Reply
Yew Lee
Advisor

‎01-30-2005 01:01 PM

‎01-30-2005 01:01 PM

Re: Password length

I have tested on a few system several years ago. If the system only takes in 8 char for password, it will accept a 10 char password even if the last 2 char were wrong.

The best thing would be to test it out on your system. :)
On the move....
0 Kudos
Reply
Sunil Sharma_1
Honored Contributor

‎01-30-2005 06:28 PM

‎01-30-2005 06:28 PM

Re: Password length

No.

in TCB mode all character of password has to be correct. In your example it will not accept password if last two character is wrong.

Sunil
*** Dream as if you'll live forever. Live as if you'll die today ***
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎01-31-2005 02:06 PM

‎01-31-2005 02:06 PM

Solution

Re: Password length

JUst to clarify. In Trusted mode (/tcb as been created by the Trusted system), every character is significant so it is always an exact match. In an untrusted system, it is an artifact that the passwd command accepts more than 8 characters without a syntax error. Essentially, the extra characters are always ignored. Where this becomes an issue is when an untrusted system is converted to Trusted. Users may have been used to typing longer passwords but after conversion, the 8 significant password characters become the Trusted password so typing more will fail. Users can of course change their password to a longer password in Trusted mode and it will work as expected.


Bill Hassell, sysadmin
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.