[geeks] IRIX, Passwords over 8 char?

Ethan telmnstr at 757.org
Thu Apr 4 00:50:53 CST 2002


> > and how do i get to use passwords longer than 8 chars?
> 
> You don't.  At least, not without breaking open libc.so and installing
> your own crypt().  And, even then, you'll probably cause buffer overflows
> in half of the programs that call it.  IRIX userland probablly assumes a
> buffer size of 13 or 14 bytes.
> 
> Maybe we'll see MD5-hashed passwords in IRIX 7, whenever -that- happens.  
> Does Solaris have an option for MD5-hashed passwords yet?  It's about time
> that the commercial unixen caught up with the Linux and BSD crowd on this
> point.

What is the big deal anyways? Who cares if the system accepts more than 8
character passwords. No body brute forces DES encrypted password hashes...
Dictionary attacks reveal weak passwords (which users would still
continue to use even if the system allowed 128 character
passwords). Assuming you run pwconv, the password file is shadowed. If
someone is looking at your passwords from the shadow file, they can
probably dump traffic from the ethernet interfaces, replace the ssh
binaries, etc.

Unless I'm missing something....

					-- Ethan



More information about the geeks mailing list