Re: Passwords on Linux systems(for all flavors)

Roman Daszczyszak wrote:

> How long is the standard password MD5 hash, 128 bits?

Yes.

> So theoretically, the longer the password gets, the likelyhood of rolling
> over the top number and getting duplicate hashes for multiple password
> increases as well, yes?

Yes.

> I mean, I'm not sure exactly how the MD5 hash algorithm works, but I'm
> sure there's a finite size to the input, after which it becomes
> ineffective because of the duplication I mention above.

There is no limit on the input size, but there is a point beyond which
increasing the length of the password doesn't make it any harder to
crack (although it may be harder for someone to read over your
shoulder and memorise).

Exactly how many characters are necessary to reach that point depends
upon the the size of the set from which the characters are drawn and
the randomness (entropy) of the password. If you use a highly random
sequence drawn from the entire 8-bit range (or at least those
characters which you can actually enter), you need fewer characters
than if you use a phrase comprised of valid English words, entirely in
lower-case.

This contrasts with traditional DES password hashes, where only the
first 8 characters of the password are significant.

-- 
Glynn Clements <glynn@gclements.plus.com>