Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] password bug?
  • From: Michael Zimmermann <zim@xxxxxxxx>
  • Date: Thu, 12 Sep 2002 05:13:58 +0200
  • Message-id: <200209120513.58817.zim@xxxxxxxx>
At Donnerstag, 12. September 2002 04:14 Rob Bourne wrote:
> I installed 8.0 about a month ago. The password i wanted to use had 9
> characters and the install defaults to 8. I entered the first eight
> characters and later ran yast to enable 15 character passwords. I also
> checked all 3 boxes above the password length dialog boxes (md5 or
> something like that). I changed my password to the 9 character version. Now
> I can login with either the 8 or the 9 character password.

Sounds like you are still having the crypt()-Version of your password,
and only the first 8 characters are hashed.


Check the corresponding line in /etc/shadow


If the shadow-file says something like
username:$1$________$_______________:_etc..
then the password is stored as the MD5 hash
(the long format)


But if it's like
username:___________:_etc..
then the password is stored as the crypt() Hash,
where only the first 8 chars of the password are significant.



Setting a new password should allways create the
MD5-format ( where the hash starts with '$1$' )


Greetings
--
Michael Zimmermann (Vegaa Safety and Security for Internet Services)
Key fingerprint = 1E47 7B99 A9D3 698D 7E35 9BB5 EF6B EEDB 696D 5811


< Previous Next >