Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Article / Document about passwords vs. passphrases
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Thu, 02 Nov 2006 08:59:39 +0100


On Tue, 2006-10-31 at 14:01 +0200, Florian Rommel wrote:
also someone said that only the most recent version of linux allow you
to have long passwords, according to my memory, this has worked
already for a looong time (i remember i used a long password quite a
few years back already) so any info on that would be good too.

The reason is simple and has different results than you might think. The
problem is that the crypt() function was used as a hashing algorithm.
Now, crypt() is just a 56 bit cipher, so what it does is it takes the
first 7 bytes of input and the first 7 bytes of the key and DES encrypts
it. Thus, if you had a password longer than 7 characters, you could have
entered anything just as long as the first 7 characters were equal. As
an example:

If your password was "alamakota", then you could have entered
"alamakori" and still be logged in. Or simply "alamako".

SyGroup GmbH
Tonnerre Lombard

Lösungen mit System
Tel:+41 61 333 80 33    Röschenzerstrasse 9
Fax:+41 61 383 14 67    4153 Reinach BL
Web:www.sygroup.ch      tonnerre.lombard () sygroup ch

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]