1830130 Members
3985 Online
109998 Solutions
New Discussion

Simple question

 
Nicky_5
Regular Advisor

Simple question

Hi All,

I guess this is a very simple questions, but then i was asked this question at an interview, i could not answer it.

Q: Why should unix passwords be 8 or less charecters in length?
I know that passwords can be nore that 8 characters in lenght, but in cases where its more than 8 characters it ignores all characters after 8 characters.... why is that?

Eg. if your password is 1234567890 and you enter only 12345678 it will still let you in...
7 REPLIES 7
Mel Burslan
Honored Contributor

Re: Simple question

what you are saying is only true on the untrusted systems, i.e. older systems. Nowadays everybody is going towards the trusted systems direction, all 10 or upto I believe 64 characters has significance as far as the password goes.

it is a limitation of of the hashing (or encrypting) algorithm on the untrusted systems I presume.
________________________________
UNIX because I majored in cryptology...
Sandman!
Honored Contributor

Re: Simple question

Only the first eight characters of the password are significant and yes it'll still let you login!!!
Robert Salter
Respected Contributor

Re: Simple question

I would think it's because users have a hard time remembering anything past 8 characters. Some have a hard time remembering 2.
Time to smoke and joke
Nicky_5
Regular Advisor

Re: Simple question

Hi Mel,

U are right, i cheched this on 2 old machines (10.20) the trusted one took in all the characters of the password before letting u in and the non trusted one let you in even if u entered the first 8 characters...

But do u know why this 8 character limitation on older system? I was asked thisquestion in an interview and want to be prepared with the answer in any future interviews..
Tim Nelson
Honored Contributor

Re: Simple question

I will bet your interviewer did not know either and was hoping that you did (ha ha).

I am sure it was a bit limitation in the hash algorithem, probably at the time or when the origional code was written either 8 was enough or that was all the bits there were. Never, until recently did anyone bother to change the code.

We will wait until the HPUX guru's of all guru's shows up to select the right answer, I am sure Bill H. will have it. 10 points only the the correct one. 2 points for guessing.


Mel Burslan
Honored Contributor

Re: Simple question

Actually, together with not being sure 100%, I remember reading somewhere that the algorithm used to encrypt/hash the password is the same in both trusted and untrusted systems. The newer and more clever algorithm, parses the typed password to the chunks of 8 characters at a time and hashes them. Then through another logic, it creates a new hash out of the chunks of 8 character hashes.

This subject matter is too rich for my blood to be perfectly honest. Maybe Bill or Clay know the answer by heart or point us all to a document where it gets explained in deeper detail.

But as far as I know, 8 characters is the limitation coming from the old password hashing/encrypting algorithm. Why 8 chars and not 16, I don't know.
________________________________
UNIX because I majored in cryptology...
curt larson_1
Honored Contributor

Re: Simple question

the short answer is the crypt command which is used to encrypt the password only accepts 8 characters. And, truncates anything over 8.

Now why does the crypt command only accept 8 characters?

while i'm just guessing at this, I'd say the 8 character limit is a hold over from early unix implementations. These early implemenations used a 12-bit salt and limited passwords to 8 characters. In the 1970's with 8-bit 1Mhz cpus, a 12 bit salt was considered good enough for most purposes, i.e. speed and connectivity was more desirable then security. And, at the time, a brute force attack would take quite awhile with the computers of the time.
But, now days disk storage has become cheap enough that an attacker can precomute encryptions of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. And, an attacker with a larger budget can build a disk farm with all 6 character passwords and most common 7 and 8 character passords stored in encrypted form, for all 4096 possible salts.

Although, it could be because the crypt command uses a salted DES algorithm to encrypt a constant string. DES keys are 56 bits long, ascii is a 7 bit code; and 8 times 7 is 56.