Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eight-Character Password Limit in Mac OS X

Posted by pudge on from the welcome-to-bsd dept.

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

13 of 124 comments (clear)

  1. 8 characters should be more than enough by Tim_F · · Score: 4, Informative

    As long as people are careful in the way they make passwords.

    Don't use words from the dictionary. Don't use personal information. Do mix up alpha-numerica and uppercase/lowercase. Throw in some punctuation if allowed.

    In other words: make it as randon as possible. This will make it more difficult to brute force crack.

  2. Could be worse by silicon_synapse · · Score: 3, Informative

    It could still be worse. Windows for example stores passwords of any size in seven-character hashes. You could use the strongest password you want, but it will be no stronger than the best group of seven charcters stored. For example, suppose you use the password h9QY*(f9v3h4. Windows would store one hash of h9QY*(f and one hash of 9v3h4. By the time a password cracker cracks h9QY*(f it would have already cracked the 9v3h4. With so much reliance on passwords, why aren't stronger passwords/passphrases properly supported? I wouldn't think it'd be that difficult.

  3. Should be fixed in Jaguar by Anonymous Coward · · Score: 2, Informative

    Jaguar is supposed to be based off of a much newer version of BSD (something like 4.4 or 4.5) that should have this problem fixed. This only applies if the fault is in the unix underpinning alone and not in the MacOS.

  4. shadow by SeanAhern · · Score: 3, Informative

    I'm not completely positive, but I don't believe that OS X supports shadow passwords currently.

    In fact, even if you somehow lock down the /etc/passwd file, any user can get a clean passwd database by running "nidump passwd ."

    That's scary to me.

    But what do I know...

    1. Re:shadow by Taliban+Lecher · · Score: 2, Informative

      /etc/master.passwd is *NOT* readable by users. /etc/passwd is only for single user boot.

      But: nidump isn't even suid or sgid, but netinfod is running as root and suspect to spill the beans.

      chmod go-rwx `which nidump` therefor would not help either, as any user can grab a binary from elsewhere.

  5. Re:lapprox 96^8 = 7213895789838336 possible passwo by ChadN · · Score: 4, Informative

    A "salt" is a little bit of randomness to increase entropy (information content). Say you have a simple password ("apple"), without a 'salt' added. Then someone just needs to encrypt the entire dictionary, which has the word "apple" in it, and compare the encrypted result to your encrypted password. They will easily be able to see that "apple" is your password (because the encryptions match). Note that they only had to encrypt the dictionary ONCE, to detect any simple dictionary password.

    Now, suppose that your password "apple" had 12 random bits added to it BEFORE it was encrypted. Those 12 random bits are not-secret (they are published along with the encrypted password+salt). The person who wants to use a dictionary attack on your password has to first look at your salt, and add it to all the words in their dictionary before encrypting and comparing them. Thus, they either have to generate (and store) encrypted dictionaries with all possible salts, or wait until they know your salt to start encrypting. Either way, you given them more work (possibly a LOT more work).

    Finally, if they get a thousand encrypted passwords, each with a different salt, they have to do 1000 dictionary searches (one per each unique salt), rather than just one.

    So, 'salts' are just small bit of randomness that are added to a lot of cryptographic protocols (and are crucial to certain more advanced protocols), do basically eliminate certain simple cracking methods, without adding much complexity or work for the legitimate users of the protocol.

    --
    "It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
  6. Re:lapprox 96^8 = 7213895789838336 possible passwo by klui · · Score: 2, Informative

    Unfortunately, Mac OS X uses netinfo to store most of its information and all of the information, including passwords, are available to anyone who can execute nidump. i.e. nidump passwd .

  7. Re:lapprox 96^8 = 7213895789838336 possible passwo by Anonymous Coward · · Score: 3, Informative

    To bring this from the theoretical to implementation details:

    If you look at a standard crypted password in a UNIX password file, you will see something like this:
    f6HXOu/NErmqM

    The first two characters are always the salt ("f6" in the above example. The password is xyzzy. What this means is that there are 4096 different ways to encrypt the word "xyzzy" (because salts are two characters from [A-Za-z0-9/.]). Other ways to encrypt xyzzy with different salts:
    q.XRwCdLMrhAI
    9M7WQHXYLACb6

    So if you wanted to generate a dictionary of passwords and their crypted equivalents, you'd have to actually generate 4096 of those dictionaries in order to be able to find any potential password you'd come up against.

    But for the legitimate user, salts provide no real additional work. If we want to verify that the password the user typed in is correct, we look at the salt on the crypted password ("f6") and call crypt with that password and salt:
    crypt("xyzzy", "f6")
    If the result matches what's in the password file, we know we've got a valid password.

  8. No shadow passwords in NetInfo by jbn-o · · Score: 4, Informative
    In fact, even if you somehow lock down the /etc/passwd file, any user can get a clean passwd database by running "nidump passwd ."

    Old NeXT hands know this because that same weakness existed (and was complained about yet never adequately addressed) back when NeXT existed and NeXTSTEP was actively being developed. NetInfo didn't scale up very well and it never had shadow passwords, two qualities that made it not seem so attractive for local administrators I knew back then. But I'd say this is really just another example of why you should care about your software freedom. After a while NeXT stopped caring about the underlying Unix layer (in NeXTSTEP and OPENSTEP this was 4.3 BSD) and the tools they shipped (an antiquated sendmail that had plenty of holes, for instance) and cared more about things like WebObjects and various high-level "kits" (some of which died before being developed very far).

    It was this experience that helped lead me to caring about Free Software operating systems and running only Free Software on top of those systems. Because there I know if there's a hole I can choose to wait for someone to fix it for me, or learn to fix it myself, or hire someone to fix it for me. How much delay I impose on myself has more to do with my willingness to learn about and/or pay for.

    --
    Digital Citizen
  9. Keychain uses more characters by wareadams · · Score: 2, Informative

    While this is true, the keychain is somewhat more secure.

    By default, the keychain takes the login password, but it uses the full length, not just the first 8 characters. If you have a 15 character login and make a mistake in the 10th character, you will be logged in. However, you will have to reinter your password (all 15 characters) to access the keychain.

    This is good b/c the keychain protects a lot of stuff but it still would be nice to know that your login password is only 8 characthers long.

  10. There is a knowledge base article on this by aelvin · · Score: 3, Informative

    Article ID: 106765
    Created: 2/26/02

    "The effective password length for Mac OS X and Mac OS X Server is eight characters. You may type more characters, but they are ignored."

  11. KeyChain can take up to 34 charachters by AIXadmin · · Score: 3, Informative

    The keychain for storing passwords in a encrypted AES package can take up to 34-charachters.
    Unfortunatly , it is the BSD layer that limits things to 8.

  12. lots of commercial UNIX's only support 8 chars by steve.m · · Score: 4, Informative

    I tried this on some different platforms and found that Solaris 8, AIX 5 and Tru64 4.0F only use 8 chars.

    HP-UX 11 uses more than 8.

    I could have done a few more, but our SGI IRIX, Dynix PTX, Sinix and DG-UX boxes are offline.