Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eight-Character Password Limit in Mac OS X

Posted by pudge on from the welcome-to-bsd dept.

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

8 of 124 comments (clear)

  1. Not 256^8 by mfos.org · · Score: 4, Insightful

    Sorry to nitpick, but there are really only about 94^8 combinations (26 upper case, 26 lower case, 10 numerals, and ~32 symbols), which equals 6.095x10^15

    The reason is that on most systems you can't simply enter those extended characters.

  2. lapprox 96^8 = 7213895789838336 possible passwords by ChadN · · Score: 5, Insightful

    Let's say we could use any of approximately 96 printable ASCII characters (in actuality, the password may allow non-printable, or international characters)

    Also, let's assume passwords must be at LEAST 4 characters (I don't know what restrictions, if any, are applicable to MacOS X).

    Then we have 96^8 + 96^7 + 96^6 + 96^5 + 96^4 = 7289831534100480 passwords.

    So, assuming about 10% of those are "guessable" by standard dictionary cracking methods (a ridiculously high amount), you have 728983153410048 non-guessable passwords (about 2^52).

    That is A LOT to brute force. That doesn't even take into account the use of 'salts' to help discourage dictionary attacks.

    So, true, allowing longer passwords would be nice. But it isn't even close to a troubling limitation.
    If you need more protection for your data, use mcrypt.

    A bigger concern would be if Mac OS X didn't use a shadow password file (anyone?), and if it doesn't at least to a rudimentary check to disallow easily guessable passwords. I assume Mac OS X can be configured to be insecure (boot up into desktop without a password), or more secure (passords required, easy passwords disallowed, etc.)

    --
    "It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward
  3. Lax security on Apple's part by SeanAhern · · Score: 3, Insightful

    I have yet to be convinced that Apple is "serious about security" as I hear the pundits say. Here at LLNL, we've had any number of Apple representatives give OS X talks. They all mention how important security is to Apple. But things like "nidump passwd ." and the fact that Classic runs as setuid root tell me otherwise.

    (For verification of that last one, do "ls -l /System/Library/CoreServices/Classic Startup.app/Contents/Resources/TruBlueEnvironment" .

  4. It is a hole by sigwinch · · Score: 2, Insightful
    This is generally not regarded a security "hole"...
    <megaphone>Sir, step away from the keyboard.</megaphone> Silently truncating passwords is a security hole of the first magnitude.

    Suppose I have a password like this:

    password weasel frycook barn tasteless thames gargoyle mascot
    That is an extremely strong password that somebody might actually be able to remember. A flawed OS that truncates it to eight characters will use this:
    password
    Which turns an NSA-class password into a Gomer Pyle-class password.
    --

    --
    Kuro5hin.org: where the good times never end. ;-)

  5. Re:Oh God, Must Update! by 0x0d0a · · Score: 3, Insightful

    Most of the people I talk to in the "art" community don't know you can get Photoshop for Windows.

    Photoshop for Windows is kind of flaky (at least it wasn't that stable on my NT box), uses that godawful MDI, and at least the last time I looked, still didn't have a bunch of the major plugins that were sold on the Mac.

    And I'm not a pro artist producing output for print -- I rarely do more than retouch things for onscreen viewing. Last time I looked, the MacOS had a complete, widely supported color management architecture (ColorSync) that Windows lacked an answer to. It may not seem like a big deal if you're the sort of person that doesn't have a $10k Radius monitor with a color probe and doesn't work with color profiles from all your output and input devices. But for the people putting out stuff for offset presses, this is a very major issue.

    Macs had multimonitor support years before Windows. The current version of Windows has multimonitor support (and a few driver writers had hacked up pseudo-multimonitor support), but it's a pain to use -- dialogs pop up halfway across the screen and drivers fight with each other. That doesn't mean that there aren't Mac apps that aren't multimonitor-friendly, but years of people using multiple monitors has ironed out all the kinks that Windows needs another seven years or so to get rid of.

    And why would someone want to migrate to Windows? I can rattle off the number of issues I have with Windows for ages. Now, Apple is hardly perfect either, but I'm not sure I'd call WinXP a better environment than OS X. There are fewer big commercial games on OS X, but if it's your work computer (or you aren't a hardcore gamer), it's not nearly as much of an issue. I'd call the Mac a reasonable choice. If you're comfortable with the Mac and you've been using it for years, then there isn't even an argument for Windows. The only Mac weakness is Apple's love for a sizeable profit margin on each computer they put out. But if you can afford to pay your way, you're looking at some good hardware and software.

    Of course, if I had a G4, I'd probably just put Linux on it, but to every man his own OS.

    --
    May we never see th
  6. *sigh* by patrik · · Score: 3, Insightful

    Okay listen up if you don't know enough about Unix to know that a lot of Unices use DES ecnryption to do passwords(which allows for only 8 chars), then you shouldn't be fucking with CLI, or at least don't expect things from it that aren't stated. Most Unices still use (or provided compatibility for) DES hashes as opposed to MD5. Apple is not that far behind the curve give it up, it's a stupid topic. The people who should know about security will already know all this and the people who dont really don't need to worry this much about security.

    The GUI for all of this seems to make it clear tat it's only worrying about the first 8 chars.

    Patrik

    --
    ----------
    Just your ordinary BOFH ;)
    http://killertux.org
  7. too bad we can't mod something off the front page. by clunis · · Score: 2, Insightful

    as others have said, this is neither news nor specific to OSX. Solaris 2.6, Solaris 8, and AIX 3.4 all exhibit the same behavior.

    Maybe this is a security issue, maybe it isn't. MacOS X comes with sshd and telnetd disabled. Unless you turn these on I'll need physical access to your box to even begin a brute force attack. Of course, if I have physical access to your machine I'm already done and don't give a hoot what your precious 8 character password was.

    kevin

  8. Times Change by Anonymous Coward · · Score: 1, Insightful

    Now, one year later, that your computer is 3 times as fast, how long would it take?

    Now, with distributed computing (I have 4 computers in my house), how long would it take?

    Just a thought.