AIX passwords limited to 8 chars?
Ross Boswell
An astute user has discovered that my AIX 3.2.3extended system
seems to ignore password characters after the 8th.
As far as I know, that behaviour isn't through my choice.
/etc/security/login.cfg has maxrepeats at 8 (the default), but that
shouldn't lead to this effect, should it? As I understand it,
maxrepeats limits the number of occurrences of any single character
in the password.
Other unix systems (eg ultrix) don't seem to have such a password
length restriction. Is it a "feature" of AIX??
--
| Ross Boswell | Email : d...@chmeds.ac.nz |
| Department of Pathology | FAX : +64 3 364 0525 |
| Christchurch School of Medicine | Phone : +64 3 364 0590 |
| NEW ZEALAND | Post : PO Box 4345, Christchurch |
Stephen O. Lidie
I have complained about this for some time, even going so far as to report
it as a bug via AIXSERV. The standard response is "the system is working
as designed". This is bull!
Not only is 8 characters too short, but the freakin' command doesn't even
warn you that the extra characters have been ignored. So, when I picked a
very clever super-secure root password one day a cohert cracked it
instantly since my special characters et.al. were AFTER the eighth!
Now, there is a mechanism to request a change to the specs, but I forgot
the offical name - that's the route IBM suggested I go.
This is no feature, it's a bug and the AIXSERV response should NOT have
been to close the report until the bug had been fixed.
Whew, now I feel better (-:
Take care,
SOL
Adam Shostack
>In article <1993Aug23....@chmeds.ac.nz>, d...@chmeds.ac.nz (Ross
>Boswell) wrote:
>>
>>
>> An astute user has discovered that my AIX 3.2.3extended system
>> seems to ignore password characters after the 8th.
>> As far as I know, that behaviour isn't through my choice.
>> Other unix systems (eg ultrix) don't seem to have such a password
>> length restriction. Is it a "feature" of AIX??
>I have complained about this for some time, even going so far as to report
>it as a bug via AIXSERV. The standard response is "the system is working
>as designed". This is bull!
>Not only is 8 characters too short, but the freakin' command doesn't even
>warn you that the extra characters have been ignored. So, when I picked a
>very clever super-secure root password one day a cohert cracked it
>instantly since my special characters et.al. were AFTER the eighth!
Eight characters is, unfortunately, the standard maximum
length for a password. login and other programs would have to be
changed to accomodate longer passwords. This is a change that should
be forced on vendors, both by user complaints, and by the standards
organizations.
Question: Has anyone seen reliability figures for long
passwords? I know I often mistype my passwords at 8 characters. How
much worse would the problem be with 12?
BTW, npasswd and some other drop-in replacements warn you that
only the first 8 characters will be used.
>This is no feature, it's a bug and the AIXSERV response should NOT have
>been to close the report until the bug had been fixed.
Again, while I'm all too happy to flame AIX, I don't think
this is a bug. Its a design flaw from the days when 6-8 characters
was plenty.
>Whew, now I feel better (-:
Adam
--
Adam Shostack ad...@das.harvard.edu
Politics. From the greek "poly," meaning many, and ticks, a small,
annoying bloodsucker.
John F Carr
>passwords? I know I often mistype my passwords at 8 characters. How
>much worse would the problem be with 12?
MIT-Athena passwords can be longer than 8 characters. Some people use
long pass phrases (20 characters or more) for privileged accounts. I've
seen some of these people make mistakes, but these passwords don't need
to be typed very often so occasional mistakes are acceptable. In fact,
most passwords are not typed very often. I type my 8 character password
about 5 times a day (half of those times to turn off a screen lock program)
with 95% accuracy.
--
John Carr (j...@athena.mit.edu)
Ronald S. Woan
I don't know anything about it, but I seem to remember password
handling under BSD 4.3 on the vaxen also ignoring >8 characters...
--
+------All Views Expressed Are My Own And Not Necessarily Shared By IBM-----+
+ Ronald S. Woan (IBM VNET)WOAN AT AUSTIN, wo...@exeter.austin.ibm.com +
+ outside of IBM wo...@austin.ibm.com or wo...@cactus.org or r.w...@ieee.org +
+ others wo...@soda.berkeley.edu Prodigy: XTCR74A Compuserve: 73530,2537 +
Adam Shostack
>> Question: Has anyone seen reliability figures for long
>>passwords? I know I often mistype my passwords at 8 characters. How
>>much worse would the problem be with 12?
>MIT-Athena passwords can be longer than 8 characters. Some people use
>long pass phrases (20 characters or more) for privileged accounts.
So how do we go about convincing IBM to ship Kerberos?
Stephen O. Lidie
Do we agree that the passwd command should at the very least inform you
that your password is > 8 characters? Then the "design bug" (-: wouldn't
be a treacherous...
Take care,
SOL
Adam Shostack
Oh, heck yes. It should warn you with a message like "You can
stop typing now," if LANG is set to C, otherwise it should say
"068-3456: AIX only accepts the first eight characters of a new
password. For more information, see the man page for login. Thank
you for helping us secure this RS/6000 running AIX." :)
John F Carr
> So how do we go about convincing IBM to ship Kerberos?
Buy DCE. Kerberos is hidden deep within. I don't know how well DCE supports
long passwords overall, but there is support for them at some level.
--
John Carr (j...@athena.mit.edu)
Hamish Marson
: I don't know anything about it, but I seem to remember password
: handling under BSD 4.3 on the vaxen also ignoring >8 characters...
: --
And lots of other systems. SunOS also limits the user name to 8
chars, as does ultrix.......
--
======================================================================
| Hamish Marson |
| Systems Programmer | |
| Computer Services | INTERNET h.ma...@waikato.ac.nz |
| University of Waikato | PHONE +64 7 8562889 xt 8181 |
| New Zealand | FAX +64 7 8384066 |
===========Disclaimer :- Remember. You heard it here first.===========
Ross Boswell
>
>Do we agree that the passwd command should at the very least inform you
>that your password is > 8 characters? Then the "design bug" (-: wouldn't
>be a treacherous...
>
OK, I accept that it's a feature, not a bug.
A warning from passwd would be a fine thing.
At least it would stop idiots like me thinking
they've discovered something new.
Glenn R. Stone
> Eight characters is, unfortunately, the standard maximum
>length for a password. login and other programs would have to be
>changed to accomodate longer passwords. This is a change that should
>be forced on vendors, both by user complaints, and by the standards
>organizations.
'course, if you change the passwd() algorithm, then you get to change
a whole bunch of third-party code too, like xlock, etc...
c'est la guerre.
> Question: Has anyone seen reliability figures for long
>passwords? I know I often mistype my passwords at 8 characters. How
>much worse would the problem be with 12?
Not bad at all; I routinely password my VMS (yes, he swings both ways,
ladies and germs) accounts with biggie passwords without any more trouble
than the eight-character ones. My pgp passphrase is >15 characters, and
though I rarely use it (I probably should use it more :) I can only remember
blowing it once in thirty or so times...)
Of course, under AIX, it's all too simple to tinker with the authorization
routines (i.e. write yer own and install it) so you can do anything you
want with your own security.... <shrug>
-- Glenn R. Stone (gle...@eas.gatech.edu)
RS/6000critter at large
Ronald S. Woan
Remember there's nothing stopping you guys from submitting a DCR if
you feel strongly about this either way (probably not too many that
would think that limiting to 8 characters is a good feature, I'd
guess). The folks at AIX development do pay attention to customer
requirements...
Dave Mielke
Ronald S. Woan <wo...@austin.ibm.com> wrote:
>
>Remember there's nothing stopping you guys from submitting a DCR if
>you feel strongly about this either way (probably not too many that
>would think that limiting to 8 characters is a good feature, I'd
>guess). The folks at AIX development do pay attention to customer
>requirements...
>--
Before this gets too far...
This problem is on all Unix's I know of. It has to do with the function
that actually encrypt's your password, crypt(3c), read it. It only
encrypt's the first eight non-null bytes. Maybe passwd(1) should warn
you when you set your password and all, but it's not AIX, it's HPUX, SunOS,
BSD, Linux, and a lot of others, the algorithym used by crypt makes
it only good for 8 bytes, if this were to be changed, you'd have to change
EVERY SINGLE UN*X COMPUTER IN THE WORLD! Imagine the trouble you'd have
telling people who don't know a computer from a telephone to switch. Failing
to switch everyone, and all programs that depend upon this would introduce
portability issues, a lot of programs depend on a password not being greater
than 8 chars.
My $5,000,000US.
mark
--
One .sig to rule them all, One .sig to find them...
One .sig to bring them all and in the darkness bind them.
markem@bcarh10d -Within BNR / da...@bnr.ca -Without BNR :-)
Daniel Len Schales
> Ronald S. Woan (wo...@exeter.austin.ibm.com) wrote:
> : I don't know anything about it, but I seem to remember password
> : handling under BSD 4.3 on the vaxen also ignoring >8 characters...
> : --
> And lots of other systems. SunOS also limits the user name to 8
> chars, as does ultrix.......
Yes, the standard is 8, and keep in mind that if you have a
multi-vendor network running an NIS or similar scheme, all
of the systems must agree on the maximum length of the password.
If not, a password 12 characters long set on a machine
that handles that many characters will not work on an 8
character machine.
Login should take the long password anyway, it simply ignores the
extra characters, so you can set a long password and it will work,
it just isn't really what you thought it was since passwd will
also truncate it.
Danny
Peter Much
Ross Boswell <d...@chmeds.ac.nz> wrote:
>Other unix systems (eg ultrix) don't seem to have such a password
>length restriction. Is it a "feature" of AIX??
Not only. Old Xenix286, i remember surely, also simply ignored
the 9+ characters. So it might be ibm tradition. Anybody know for
the original (pdp) unix?
Peter
Greg Pavlov
> Ross Boswell <d...@chmeds.ac.nz> wrote:
>
> >Other unix systems (eg ultrix) don't seem to have such a password
> >length restriction. Is it a "feature" of AIX??
>
lead you to believe otherwise ?
greg pavlov
pav...@fstrf.org
Michael Nenashev
There is limits file in /etc/security with passwd stanza in it, defining
password length and a few rules to check against when using passwd command.
I did not try it but it sure looks like the one to change if you prefer
passwords longer then 8 chars.
Adam Shostack
login, su, passwd (when changing a password) are hardcoded to
only accept the first 8 characters, and then disregard everything
else. Its a shortcoming of unix. Hopefully, the newly emerging
standards will eventually address this shortcoming.
Gent Hito
csh> netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
and it just hangs till I interrupt it.
Can anyone tell what might be wrong?
--
----------------------------------------------------------------------
"Contrariwise," continued Tweedledee, "if it was so, it might be; and
if it were so, it would be; but as it isn't, it ain't. That's logic!"
Lewis Carrol: "Through the Looking-Glass"
Chris Cellucci
>Mike.
In AIX documentation, under limits.h, there is a definition called
PASS_MAX. This is the maximum length of a password, not including
the null terminator. However, (quote from docs) "only eight
characters of password information are significant."
Chris.
--
Christopher J. Cellucci "Yeah, yeah, yeah, pretty neat,
c...@cllcci.nshore.org pretty neat, pretty good,
bi...@summitis.com pretty good" - Jim Morrison
David L. Crow
>Why doesn't netstat display anything?
Is your nameserver working? Try using the '-n' option to netstat.
If this works, then take a look at your nameserver configuration.
--
----------- Opinions expressed are mine, not my employer's ----------
| David L. Crow | Internet: cr...@austin.ibm.com |
| IBM AWS Graphics Systems | IBM VNET: CROW at AUSTIN |
| Austin, Republic of Texas | (512) 838-1134 T/L 678-1134 |
k...@aixnm014.raleigh.ibm.com
(Gent Hito) writes:
> From: gh...@bvcd.csc.ncsu.edu (Gent Hito)
> Subject: netstat just hangs
> Sender: ne...@ncsu.edu (USENET News System)
> Organization: BVCD High Speed Communications Networks
> References: <145...@netnews.upenn.edu> <1993Sep7.1...@das.harvard.edu>
>
> Why doesn't netstat display anything?
>
> csh> netstat
> Active Internet connections
> Proto Recv-Q Send-Q Local Address Foreign Address (state)
>
>
> and it just hangs till I interrupt it.
>
>
> Can anyone tell what might be wrong?
If you are using DNS, you could be having nameserver problems in resolving
the IP addresses to hostnames. I generally always use the -n option to
disable hostname resolution. Most notably:
netstat -rn shows me the routing table without doing hostname
resolution. If I have a problem with my routes, I probably
wouldn't be able to get to my nameserver, and without the
-n option, the command would hang.
Hope that helps....
>
>
>
> --
> ----------------------------------------------------------------------
> "Contrariwise," continued Tweedledee, "if it was so, it might be; and
> if it were so, it would be; but as it isn't, it ain't. That's logic!"
> Lewis Carrol: "Through the Looking-Glass"
--------------------------------------------------
Ken Chambers -- AIX Network Management Development
Research Triangle Park, North Carolina