Re: FreeBSD maximum password length
Thank you all for the points you mentioned around this topic. On Mon, Jun 17, 2013 at 3:44 PM, Mark Felder f...@feld.me wrote: There isn't a max password length as far as I'm aware, ... On Jun 17, 2013, at 7:47 AM, Eduardo Morras wrote: If I remember well, any password longer than default size is truncated, so passwords a) ' AhN12Njufsn8794432kjfvsnkkJHNDSMNDKh844mNJKnhjhu8u8424' b) 'AhN12Njufsn8794432kj' have the same salt hash value and both validate the user. My test machine is currently an old 8.2 one, but the final machine may be upgraded. on this machine, if i enter a password longer than 128 characters, extra characters will be exactly trimmed. So, the final password for any user with a greater-equal input password string, with same first 128 characters, would be the first 128characters. has this been changed in Freebsd 8.3+ to what you explained, Eduardo, or this is the respected behavior? or i am wrong somewhere? Thank you :) On Tue, Jun 18, 2013 at 7:12 AM, Michael Sierchio ku...@tenebras.comwrote: I know this may seem off-the-wall to some, but I pasted a hashed password for a user under 9.1 into the /etc/passwd entry for that user on an 8.3 machine, and auth continues to work properly. That's nice. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
There isn't a max password length as far as I'm aware, but there is a max username length that drive me insane sometimes. I should really file a PR about that... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
Thank you, Mark, for your helpful answer :) yes, i am aware of the max username length of 16characters.. I just wanted to become sure about password max length, cause i need to moderate it in my self-built user interface.. Thank you again :) On Mon, Jun 17, 2013 at 3:44 PM, Mark Felder f...@feld.me wrote: There isn't a max password length as far as I'm aware, but there is a max username length that drive me insane sometimes. I should really file a PR about that... __**_ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/**mailman/listinfo/freebsd-**questionshttp://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-** unsubscr...@freebsd.org freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
takCoder tak.offic...@gmail.com writes: As i googled it, there is no maximum limitations for users' password length by default.. But we may use *pam_passwdqc* module with *max* option to check it when required. And i've heard that no-maximum-limits for passwords length is only possible when we keep them in encrypted form not as plain text, which i think is matched with FreeBSD behavior. Is plain-text passwords even a supported behaviour? I didn't think it was. Am i right? Is that all about maximum password length in FreeBSD? Did i miss something?? _PASSWORD_LEN is the defined limit. It's 128 characters by default but could be changed at compile time. There may be other limits, such as in various versions of NIS. Thank you for all your helps and ideas :) I'm not sure I understand what you're doing, so I don't have any real advice, but I don't see why 128 characters would be that hard to deal with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
Thank you, Lowell, for your reply. :) And i've heard that no-maximum-limits for passwords length is only possible when we keep them in encrypted form not as plain text, which i think is matched with FreeBSD behavior. Is plain-text passwords even a supported behaviour? I didn't think it was. I meant i think FreeBSD does not use plain-text passwords, so we won't have a limitation for that reason.. excuse me for my poor english. _PASSWORD_LEN is the defined limit. It's 128 characters by default but could be changed at compile time. There may be other limits, such as in various versions of NIS. ... I'm not sure I understand what you're doing, so I don't have any real advice, but I don't see why 128 characters would be that hard to deal with. I need to moderate the input password in my system's user interface. And I believe i have tested longer passwords than that, about 1000 characters long, and there was no limitations, via using this command in a /bin/sh test shell script : echo PASSWORD | pw user mod USER -h 0. at least there was no errors reported by *pw*. i did not test the user myself.. and it somehow seems correct, as the encrypted output string may be not a function of the input string, based on the method used. Thank you :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, 17 Jun 2013 17:49:56 +0330 takCoder tak.offic...@gmail.com wrote: I need to moderate the input password in my system's user interface. And I believe i have tested longer passwords than that, about 1000 characters long, and there was no limitations, via using this command in a /bin/sh test shell script : echo PASSWORD | pw user mod USER -h 0. If I remember well, any password longer than default size is truncated, so passwords a) 'AhN12Njufsn8794432kjfvsnkkJHNDSMNDKh844mNJKnhjhu8u8424' b) 'AhN12Njufsn8794432kj' have the same salt hash value and both validate the user. Thank you :) --- --- Eduardo Morras emorr...@yahoo.es ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Jun 17, 2013, at 7:47 AM, Eduardo Morras wrote: On Mon, 17 Jun 2013 17:49:56 +0330 takCoder tak.offic...@gmail.com wrote: I need to moderate the input password in my system's user interface. And I believe i have tested longer passwords than that, about 1000 characters long, and there was no limitations, via using this command in a /bin/sh test shell script : echo PASSWORD | pw user mod USER -h 0. If I remember well, any password longer than default size is truncated, so passwords a) 'AhN12Njufsn8794432kjfvsnkkJHNDSMNDKh844mNJKnhjhu8u8424' b) 'AhN12Njufsn8794432kj' have the same salt hash value and both validate the user. Depends on the hashing algo. Old crypt(3) stored passwords with a 12-bit (2x Base64 characters; [0-9a-zA-Z./]) followed by the hashed cleartext. This [ancient] format limited password input to 8 characters. With this algorithm, input beyond 8 characters was ignored, so the behavior you describe is accurate -- with the old DES based one-way hash algorithm (which hasn't been default for a vey long time). The default in FreeBSD is MD5, but you can go to AES256 (Rijndael) if you like, or Blowfish, or whatever you like. Each of these has different limitations, but will not exhibit the behavior you describe above. There is no limit to these algorithms, only in the implementations -- that is to say that if you implement a read-buffer of 128k, that's the practical limit of your applications input (read: these algorithms have no limitations on input, however that being stated… no CRC algorithm has a limitation on input). But be aware… What makes these algorithms more secure is their larger salts *and* their stated rate of collisions. MD5 is no longer considered secure. It's secure *enough* for most people, but if you run a tight ship, any one with a few multiplexed GPUs running a CUDA thread against your hash can break it in a matter of a week if not days. The benchmark (in my mind) for any cryptographically strong algo is that with almost dream-like hardware, it would still be impossible to reverse the one-way trapdoor hash in one's-own lifetime. Of course, achieving that as a human can be hard considering that we rarely (if ever) produce strong inputs to the strong algorithms. However, if you want to be pedantic about choosing a strong password… you should actually take respite in the fact that these algorithms is still like their CRC brethren in that: Inputs greater than the hash length are cryptographically more secure than inputs shorter than the hash length. I digress… -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, 17 Jun 2013 12:25:54 -0500, Teske, Devin devin.te...@fisglobal.com wrote: The default in FreeBSD is MD5 MD5 is no longer the default. http://svnweb.freebsd.org/base?view=revisionrevision=238484 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Jun 17, 2013, at 10:28 AM, Mark Felder wrote: On Mon, 17 Jun 2013 12:25:54 -0500, Teske, Devin devin.te...@fisglobal.com wrote: The default in FreeBSD is MD5 MD5 is no longer the default. http://svnweb.freebsd.org/base?view=revisionrevision=238484 Huzzah! 9.1-RELEASE and higher indeed use sha512 as the new default. 8.4 still using md5 though (and expected to stay that way). Question… Is sha512 the highest it goes in our system? -- Devin _ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, 17 Jun 2013 12:52:48 -0500, Teske, Devin devin.te...@fisglobal.com wrote: Is sha512 the highest it goes in our system? Not sure what the limitations are. I know OpenBSD uses blowfish and I have been using that on older FreeBSD servers as a workaround. I think that OpenBSD uses a high number of rounds on their blowfish to make brute forces more difficult because of how slow it gets. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, 17 Jun 2013 17:52:48 + Teske, Devin wrote: On Jun 17, 2013, at 10:28 AM, Mark Felder wrote: On Mon, 17 Jun 2013 12:25:54 -0500, Teske, Devin devin.te...@fisglobal.com wrote: The default in FreeBSD is MD5 MD5 is no longer the default. http://svnweb.freebsd.org/base?view=revisionrevision=238484 Huzzah! 9.1-RELEASE and higher indeed use sha512 as the new default. 8.4 still using md5 though (and expected to stay that way). Question… Is sha512 the highest it goes in our system? The precise cipher/hash is almost irrelevant. What's important is the amount of work needed to evaluate a password in a bruteforce dictionary attack. MD5 is still OK for password hashing, the problem is an inadequate number of iterations in our particular implementation. A similar problem exists with blowfish and arguably all of the rest. Another problem is that all current schemes are inadvertently optimised for GPU attack since they run in very little memory. The bottom line is: don't let anyone steal your password file. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
One _little_ terminology detail: On Tue, 18 Jun 2013 00:56:08 +0100, RW wrote: What's important is the amount of work needed to evaluate a password in a bruteforce dictionary attack. I'd say that bruteforce != dictionary. It's bruteforce _or_ dictionary attack instead. A dictionary attack is more sophisticated because it uses words from a dictionary, whereas a _real_ bruteforce will stupidly run through _all_ combinations of the given charsets and length ranges. It will _eventually_ be successful, even if our planet doesn't exist anymore at that time. Finite time, far far away. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, Jun 17, 2013 at 6:35 AM, takCoder tak.offic...@gmail.com wrote: Thank you, Mark, for your helpful answer :) yes, i am aware of the max username length of 16characters.. I just wanted to become sure about password max length, cause i need to moderate it in my self-built user interface.. Thank you again :) On Mon, Jun 17, 2013 at 3:44 PM, Mark Felder f...@feld.me wrote: There isn't a max password length as far as I'm aware, but there is a max username length that drive me insane sometimes. I should really file a PR about that... Perhaps your PR is unnecessary: $ svn log -v -r243023 /usr/src/sys/sys/param.h r243023 | bapt | 2012-11-14 04:58:12 -0600 (Wed, 14 Nov 2012) | 8 lines Changed paths: M /head/sys/sys/param.h Allow usernames up to 32 chars PR: kern/161091 [1], misc/133926 [2] Submitted by: Stephane Lapie darks...@darkbsd.org [1], Chris Dillon cdil...@wolves.k12.mo.us [2] Reviewed by:cognet, kib The above would have saved me a few local diffs as well a few years ago... -Brandon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
On Mon, Jun 17, 2013, at 21:19, Brandon Gooch wrote: On Mon, Jun 17, 2013 at 6:35 AM, takCoder tak.offic...@gmail.com wrote: Perhaps your PR is unnecessary: $ svn log -v -r243023 /usr/src/sys/sys/param.h Hmm, looks like it wasn't MFC'd to 9-STABLE before 9.1's release. Well, at least it's good to know that it's coming. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD maximum password length
I know this may seem off-the-wall to some, but I pasted a hashed password for a user under 9.1 into the /etc/passwd entry for that user on an 8.3 machine, and auth continues to work properly. That's nice. - M ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org