[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Re: Root has 10 different passwords on Qube2

Subject: Re: [cobalt-security] Re: Root has 10 different passwords on Qube2
From: Åke Brännström <ake@xxxxxxxxxxx>
Date: Sat, 9 Sep 2000 23:42:52 +0200
Organization: Department of Mathematics

It's a limitation of the mathematical algorithm itself. Most Unix-like systems
uses an algorithm based on the Data Encryption Standard (DES). This algorithm
basically cuts away all but the eight first characters, add two characters
called the salt, and repeats the DES algorithm 24 times or so, throwing away
information between each step. If you're interested in the mathematics behind
this I can dig up a good reference for you. 

There are replacments available, using other one way hash systems like MD5 and
SHA1. These can, at least in theory, use more than eight characters but I do
not know if the specific implementations does this. 

To see if your Raq2 uses the old algorithm or some new variation you can look
at /etc/passwd or /etc/shadow. If you find strings like TYSc6Q4HlYy.. or
SczSWwlIzoDXQ you're using the old DES-style algorithm.

We are using the Qube and it came with the encrypted passwords readable for
everyone and almost no restrictions on the passwords the user can choose!
That's generally not a good idea. 

Sincerely, 
Ake Brannstrom

On Sat, 09 Sep 2000, you wrote:
> Does this also apply for the Raq2? ; i.e. we have been
> foolishly typing in 14-16 character passwords for the
> last year. (no-biggie).  Is this a limitation of the
> mathematical algorithm itself, all Linux, or just
> Cobalt OS Version.
> Cheers,
> RT
> <snip>
> >Yes, the password encryption algorithm only makes use
> >of the first 
> >eight
> >characters and disregards the rest. There is no
> >trivial way of 
> >increasing this
> >number, so the best thing you can do is choose a good
> >password 
> >containing
> >number, special characters as well as a mix of upper
> case and lower 
> case
> letters. 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Mail - Free email you can access from anywhere!
> http://mail.yahoo.com/
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- Re: [cobalt-security] Re: Root has 10 different passwords on Qube2
  - From: Jeff Lasman

References:
- [cobalt-security] Re: Root has 10 different passwords on Qube2
  - From: Rod Todd

Prev by Date: RE: [cobalt-security] Re: Root has 10 different passwords on Qube2
Next by Date: Re: [cobalt-security] Re: Root has 10 different passwords on Qube2
Previous by thread: RE: [cobalt-security] Re: Root has 10 different passwords on Qube2
Next by thread: Re: [cobalt-security] Re: Root has 10 different passwords on Qube2

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index