Sharad Joshi enscribed thusly:
> On Fri, 20 Aug 1999, Arshad Mahmood wrote:
> +
> + the maximum password length that is supported is eight characters. If a
> + user gives a password more than eight characters then he can log on to
> + machine using first eight characters. Is there any way to fix this
> + security hole?
> I don't understand how this is a security hole, unless the user
> explicitely chooses to make public, his first 8 characters :) Choosing a
> good password, 8 (or for that matter 7 or 6) characters in length, should
> suffice, no? Or is it a situation where tons of gold is involved? :)
Primary reason is that it can be deceptive. A common practice is
to take two works, mix in some punctuation and some mispelling and some
numbers. What if the first 8 characters ended up with only one of the
(big) dictionary words? You would think you were picking a "good"
password when you were really ending up with a very poor, guessable,
password.
Also, when attacking the password systems limited to 8
characters, things like Crack and John the Ripper only have to worry
about 8 characters or less. It limits both the dictionary attack
and the search domain.
> Sharad.
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
