On Fri, 10 Mar 2000, Mark wrote: >Not actually a bug, but a recommendation for later distributions >security, i've noticed 2.1 only allows something along the lines of an 8 >character password. If someone were to get ahold of someone's username, >which is easy to do, and they of course had some queer password guessing >tool that tried all combinations within the 8 char limit, it'd be pretty >easy to at least do that. I've tested other distributions like >slackware, slack7 allows a 126 character password at max which is a >really good thing. Just a recommendation.
If ther are 64 characters to use for a letter of a password (26 upper case, 26 lower case, numbers, and two punctuation characters) then 64^8 is 281474976710656 unique passwords. If we include all the possible 7 character passwords then the number is larger. If you can try 1000 passwords a second then it would take 9000 years to try all possible passwords, giving an average crack time of 4500 years. If your system has a world-readable shadow file or some other mechanism that allows the 10,000,000 password guesses per second necessary to crack passwords then you have a bigger problem than an 8 character limit. If you allow a 126 character password then you are absolutely guaranteed that it will be stored in scripts which is less secure than a 6 character password that is memorised. Then of course there's the issue of "shoulder surfing". -- My current location - X marks the spot. X X X