Jonathan Clarke wrote:
On 30/09/2009 07:43, Zdenek Styblik wrote: ...
I believe this is broken, or obsolete. I'm using Perl port of Unix crypt() function, and it works just fine for "any" password lengths. 8 characters limitation sounds like - history :)
Actually crypt() is system-dependant. Different *nixes implement it differently. Many implementations accept passwords of any length, but only use the first 8 characters to create the hash. As a result, using crypt passwords is insecure and un-portable.
So, yes, it sounds like history, but that's crypt for you :)
Regards, Jonathan
Errr ... well, it seems so. I think I've hit the wall with eg. sshd x nss-switch when having passwords crypted by anything else than crypt(); Also, using SSHA might be a bit of overkill (I'm not defending crypt()! :)) So, what's left? Or more, what's the suggestion - which crypt function to use? Having passwords in MD5/SHA is just - it doesn't sound too much secure (neither is crypt()), even if those are portable. I'd say it depends on the type of leak of credentials - if database is stolen, or password is sniffed through eg. http [web app] - in the first case, hashed passwords will buy time; the second - it doesn't matter, how's the password stored in LDAP - right?
Probably a bit off-topic.
Regards, Zdenek