Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!GYRE.UMD.EDU!chris From: chris@GYRE.UMD.EDU (Chris Torek) Newsgroups: comp.protocols.tcp-ip Subject: Unix 8-character passwords Message-ID: <8811090812.AA13935@gyre.umd.edu> Date: 9 Nov 88 08:12:35 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 36 From: auspex!guy@uunet.uu.net (Guy Harris) >... specify a password with complex characters in it, >either non-alphabetic, or numeric mixed with alphabetic and of >at least a certain length (10 characters seems like a good size). Except that UNIX systems tend to pay attention only to the first 8 characters of the password. There is, of course, a perfectly good reason for this limit, and it should be mentioned: The Unix password encryption algorithm is to use a `salted' DES to encrypt a constant string using the password as a key. DES keys are 56 bits long; ASCII is a 7 bit code; and 8 times 7 is, of course, 56. It is therefore obvious that there are no passwords that cannot be specified in at most eight characters, and any more are theoretically superfluous. (The `salt' above is to discourage brute-force attacks using hardware DES implementations. It is used to shuffle the E box in some manner. I am not a cryptographer; I leave the details to those who are.) Nonetheless, there are some ASCII characters that are inordinately difficult to type (for reasons which I would rather not argue on the TCP-IP list [I myself am firmly in the `Emacs camp': unescaped in-band flow control is wrong :-) ]). There is also a question of implementation of the password reader: can one type a sequence with an imbedded ASCII NUL? I would rather that the password reader accept an arbitrarily long password, and use some mapping function to compress longer passwords into eight 7-bit `bytes' for use by the modified DES encrypter. This longer password would still be `the same' as some shorter one, but the shorter one might be impossible to enter. At worst, you will require people with long passwords either to type the whole thing every time, or to figure out the equivalent eight character string. Chris