Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: OpenSSH Password Question
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Sun, 10 Dec 2000 14:20:39 +0100
As a minor comment, I've heard some people (not in this ml) complain about
the fact that old fashion unix cuts passwords and think it would be a
great idea to update the old crypt to support longer DES passwords.

The reason why you don't want that is rather simple to show mathimaticaly.
Assume you use strong passwords with a-zA-Z0-9 and 8 characters long
passwords. You get 36^8 possible different passwords, which are hashed
into a 2^40 bit DES hash. But 36^8 / 2^40 = 2.6, meaning that each
checksum have multiple matches. The hash is no longer able to improve
security. Thats why we use MD5 instead :)


it's not a bug. it's not a missconfiguration.

traditionally unix allows users to enter more
than 8 characters, even if only the 1st 8 are
significant.

however, there are several systems supporting
passwords longer than 8 characters, e.g.
MD5 or blowfish based password systems.


..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

             http://www.eff.org/cafe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]