Roman L. Daszczyszak II wrote:
I have heard that many *nix flavors used to default to using DES as
their password storage algorithm, but recently many Linux flavors tend
to use MD5 hashes instead, which are more secure to brute force attacks.
What I'm wondering is how long can a Linux password be?
Long enough. An MD5 hash is only 128 bits long, so there is no point
having a password with more than 128 bits of entropy (equivalent to 16
random bytes or 25 characters randomly selected from [a-z0-9]).
Can it use extended characters (like Windows Alt-# feature) in it's
passwords and if so, how do you use them (aka if they aren't on the
keyboard)?
So far as the applicable library routines are concerned, a password
can be any sequence of non-NUL bytes. However, if you use control
codes or characters outside of the 7-bit range, you may have problems
entering them.
E.g. the library functions will allow you to have LF or CR characters
in a password, but you may not be able to enter them at a terminal
login prompt or in a GUI login dialog.
Also, some terminals (or GUI login programs) may represent non-ASCII
characters using ISO-8859-1 whereas others may use UTF-8. The library
functions deal with the raw bytes, not their interpretations as
characters, so if you set a password containing non-ASCII characters
on a terminal which uses ISO-8859-1, you won't be able to log in on a
terminal which uses UTF-8.
Additionally I have heard that an MD5 hash has no limit to the amount it
can hash (iow an unlimited length password) but somewhere in the Linux
authentication it is set to a length of 256. What imposes this length
of password?
There is no point in having a 256-byte password; as the hash is only
128 bits, there would be many shorter passwords with exactly the same
hash.
--
Glynn Clements <glynn@gclements.plus.com>
