When computing power/storage was at a premium things like crypt() worked fine, if you'd suggested a multi-gigabyte table of crypt()'ed dictionary words most people would have said "nice, but not doable right now". Well the times, they change. Now many versions of UNIX use PAM, pluggable authentication modules. An article I wrote for sysadmin magazine a while ago covers PAM:
http://www.samag.com/documents/s=1161/sam0009a/0009a.htm The thing with PAM is you have much more flexibility in your authentication backend, once an application is PAM'ified (basically all are now) you can use whatever you want, as long as PAM supports it (and PAM supports most anything). This has lead to MD5/etc hashes rather then crypt(), which provides the ability to use much longer passwords, or things like smartcards/biometrics/radius/kerberos/etc (without having to tear apart the program doing the authentication to insert support). Now according to Apple's docs, such as: http://www.apple.com/macosx/pdfs/MacOSX_for_UNIX_users_TB.pdf Mac OS X supports PAM. According to some other docs you can stipulate the password length in Mac OS X 10.2 and up, perhaps they use a default of 8 characters since "that's how UNIX used to work". My Mac's are all off for the night, or I'd make an attempt to look at the actual password storage to see how it is kept. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
