I searched through the archives and found this issue addressed but didn't find the info I was seeking. Is it possible to set a SuSE 6.4 box to accept more than an 8 character password AND recognize it as such. IE if you only enter 8 characters of an 11 character password it would NOT allow the login to progress? IMHO, I find that an 8 character password to be a security risk, especially on an Internet connected box. Thanks for any info! Christopher A. Kulish Network Administrator MRC Rail Services, LLC Email: ckulish@mrc-rail.com Web: http://www.mrc-rail.com -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
A password of only 8 characters is certainly less secure than one of 128 characters. I believe SuSE 6.3 came enabled to use the MD5 password hash by default, which version are you using? When I used 6.2, I remember having to enable this manually. The file you will need to change is '/etc/login.defs'. Look in there for md5 options, or use PAM with the "md5" option passed to the pam_pwcheck module. To quote the Manual (100): Since MD5 encryption is not compatible with the standard Unix crypt() function, most commercial Unix systems and some programs don't work with MD5 passwords. So be careful if you enable this feature. Hope this helps. On Fri, Jun 09, 2000 at 03:25:14PM -0500, Kulish, Chris (Des Moines) wrote:
I searched through the archives and found this issue addressed but didn't find the info I was seeking.
Is it possible to set a SuSE 6.4 box to accept more than an 8 character password AND recognize it as such. IE if you only enter 8 characters of an 11 character password it would NOT allow the login to progress?
IMHO, I find that an 8 character password to be a security risk, especially on an Internet connected box.
Thanks for any info!
Christopher A. Kulish Network Administrator MRC Rail Services, LLC
Email: ckulish@mrc-rail.com Web: http://www.mrc-rail.com
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- [-=-=-=-=-=-=-=-=-=-=- adam j henry =-=-=-=-=-=-=-=-=-=-=] | [http: www.heidelberg.edu/~ahenry] [pgp: 0xBD168A74] | | [mailto: ahenry@heidelberg.edu] [icq: 69243836] | [-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
On Sat, 10 Jun 2000 eighteenrabbit@bright.net wrote:
A password of only 8 characters is certainly less secure than one of 128 characters. I believe SuSE 6.3 came enabled to use the MD5 password hash by default, which version are you using?
Except that how many people can remember a 128 character password without writing it down? Greg -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
A password of only 8 characters is certainly less secure than one of 9 characters, provided both are properly generated, and a brute-force cracking method is used. I had one that was about 50, but one of 128 characters would indeed be too long to type. It consisted of nonsensical words/numbers that were easy to remember, yet difficult to guess. I don't think the problem lies in remembering the password. Its very tedious to enter a password of extremely long lengths every time you log in ... Writing it down defeats the purpose of passwords. They should remain in your head. The PGP Password FAQ is a good place to start (Williams: 1995): Writing your passphrase is a breach of security if care is not taken. Many ordinary disposal methods hand your written passphrase to anyone looking. A simple technique with an ordinary pencil will grab a passphrase from a pad of paper after the top sheet where the actual writing took place is removed. Throwing the copy of your passphrase in the trash gives your passphrase to the dumpster divers. Even trash from your house can be searched without much trouble. A wallet isn't a good place if you get hurt or your wallet gets stolen. There are many other problems with things that are written down. On Sat, Jun 10, 2000 at 11:15:48AM -0700, Greg Thomas wrote:
On Sat, 10 Jun 2000 eighteenrabbit@bright.net wrote:
A password of only 8 characters is certainly less secure than one of 128 characters. I believe SuSE 6.3 came enabled to use the MD5 password hash by default, which version are you using?
Except that how many people can remember a 128 character password without writing it down?
-- [-=-=-=-=-=-=-=-=-=-=- adam j henry =-=-=-=-=-=-=-=-=-=-=] | [http: www.heidelberg.edu/~ahenry] [pgp: 0xBD168A74] | | [mailto: ahenry@heidelberg.edu] [icq: 69243836] | [-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
from http://www.ntfaq.com/ntfaq/security21.html#security21 "When users are forced to use special characters, 9 out of 10 times, the user will put the special character at the end of the password. In an 8 character minimum password, the eight character becomes the symbol, and the first seven are letters and numbers. The seven characters are cracked with L0pht crack in 24 hours or less. Thus, an 8 character password (even with a special character at the end) may either be cracked in 24 hours, or give up enough info to guess the first half (yes - a lot of assumptions here - but this theory has held up over 30,000 times). I'd like us to reset the industry line of thought on NT passwords and suggest that the strongest password policies are those that require seven characters (instead of 6 or 8). Also, the strongest passwords are those that are either 7 or 14 characters exactly, with at least one special character in each half (with very few exceptions - note Paul Ashtons 7 character or less pwd attack). Given that users will write down pwds that are 14 characters in length, 7 becomes the next best choice. I believe Dave Leblanc, InfoWorld, and some folks at Microsoft will agree that exactly 7 characters is a recommended length." At 15:16 11/06/2000 -0400, eighteenrabbit@bright.net wrote:
A password of only 8 characters is certainly less secure than one of 9 characters, provided both are properly generated, and a brute-force cracking method is used.
I had one that was about 50, but one of 128 characters would indeed be too long to type. It consisted of nonsensical words/numbers that were easy to remember, yet difficult to guess. I don't think the problem lies in remembering the password. Its very tedious to enter a password of extremely long lengths every time you log in ...
Writing it down defeats the purpose of passwords. They should remain in your head. The PGP Password FAQ is a good place to start (Williams: 1995):
Writing your passphrase is a breach of security if care is not taken. Many ordinary disposal methods hand your written passphrase to anyone looking. A simple technique with an ordinary pencil will grab a passphrase from a pad of paper after the top sheet where the actual writing took place is removed. Throwing the copy of your passphrase in the trash gives your passphrase to the dumpster divers. Even trash from your house can be searched without much trouble. A wallet isn't a good place if you get hurt or your wallet gets stolen. There are many other problems with things that are written down.
On Sat, Jun 10, 2000 at 11:15:48AM -0700, Greg Thomas wrote:
On Sat, 10 Jun 2000 eighteenrabbit@bright.net wrote:
A password of only 8 characters is certainly less secure than one of 128 characters. I believe SuSE 6.3 came enabled to use the MD5 password hash by default, which version are you using?
Except that how many people can remember a 128 character password without writing it down?
-- [-=-=-=-=-=-=-=-=-=-=- adam j henry =-=-=-=-=-=-=-=-=-=-=] | [http: www.heidelberg.edu/~ahenry] [pgp: 0xBD168A74] | | [mailto: ahenry@heidelberg.edu] [icq: 69243836] | [-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (4)
-
ckulish@mrc-rail.com
-
eighteenrabbit@bright.net
-
ethant@pacificnet.net
-
graemer@graenet.com