I'm sure others will have a better answer, but I seem to recall that there's a difference between passwords and passphrases. Directly using a human readable password is bad since there's not enough randomness to it and you're limited to 8 or 16 characters.
With a passphrase you can do things like using the hash of the passphrase as the key, encrypting the passphrase with the first 8 or 16 characters of the passphrase as the key, etc. I believe there's a FIPS standard for generating encryption keys from a passphrase, using a technique similar to those mentioned above. If you're looking at a modern Unix crypt() analogue it's just a hash with salt. E.g., one possibility is H(passcode . H(salt . passcode)), with the salt is encoded in the first few characters of the stored password. BTW don't forget that many (all?) robust systems will generate a random encryption key for the body of the ciphertext. This key is the only thing encrypted with the key generated by the passphrase. Nadav Golombick wrote: > What is the correct procedure if I come to a situation where the > password length is too big for the given buffer. > > -- > Nadav Golombick > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
