On Mon, 08 Dec 2014 22:24:17 +1300, Helen Borrie <[email protected]> wrote: >>Chapter 12 says: >> >>"An effective password, using the default user manager Srp, can be up to >>20 characters. If you have already configured the server to use legacy >>authentication (see below >>), or you intend to do so, then only the first 8 characters of any >>password, including that of the SYSDBA, will be read." >> >>As I remarked before this isn't true, the password is effectively >>unlimited, or at least substantially longer than 20 characters (I have >>tested it upto a 100+ characters). Please don't confuse the size of the >>resulting hash with the allowed size of the password. > > It is true that passwords can be much longer (although not "unlimited").
> I think Alex mentioned 256 characters, or thereabouts. I'm not confusing > it. In Firebird 3 currently, i.e., Beta 1, SRP is the one available user > manager other than legacy. An EFFECTIVE password with SRP is 20 characters > or less, due to the hash algorithm. That's it. The length of the hash value (160 bits or 20 bytes) has no direct relation on the effectiveness of the password (the hashed value). The hash is over the entire password irrespective of its length, so there is no limit to the password (apart from any implementation limitations in the length of password Firebird is able to accept). Now due to the pigeon-hole principle of course different passwords might lead to the same hash value, but that doesn't mean that longer passwords are less effective. Hashes like these are also used to prove the authenticity of files that are several orders of magnitude larger (KB, MB, GB, TB etc). > Legacy authentication still does not read passwords past the eighth > character.....or have I missed something? The legacy auth password is stored separately. The limitation of 8 characters in legacy auth is - iirc - because the password itself is **directly** used as the **key** to a modified DES encryption (or decryption) of a zero-block (or one-block), instead of **deriving** a key from the password. The key of DES is 64 bit, which means that you can only use 8 characters. SRP uses a hash (or key-derivation) algorithm to derive a key from the password. This key is only 160 bit, but the input to the hash algorithm is effectively unlimited. Hash algorithms are constructed so small changes to the input create significant changes in the hash. So there is no limit on the length (apart from any implementation limitations, see above), nor is there an effective limit on password other than the implementation limitation itself. This is contrary to the legacy authentication where only the first 8 characters were used no matter the length of the password you entered. For example with Srp a 100 character password is different from the same 100 characters + 1 (and I have tested this!), as opposed to legacy auth where an 8 character password is the same as the same 8 characters + 1. Mark ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
