Eight-Character Password Limit in Mac OS X

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

Oh God, Must Update!

[TRoLLaXoR]

Here in Kansas City it's not so tough being a Mac user-- there are plenty of major chains that sell Macs or peripherals for them (Microcenter and until recently, Circuit City), a large, healthy MUG (featured on Apple's site, no less) and many third-party suppliers and repair facilities (dumpster-diving has been fun since I moved out here). There's only one real drawback of living in Kansas City and being a Mac user: the rampant art faggotry, pseudo-creativity, and nerdario emo fags associated with Macintosh computing!

Yes, sadly, Kansas City is a hotbed for the so-called "art" and "emo" communities. You know the kind. Thick, silly glasses, mussed, tussled hair, ill-fitting cardigans, sweaters, dirty jeans and corduroys, and faded T-shirts purposefully purchased for the obscure entity it advertises on it. They're everywhere, these emo idiots, and they've infiltrated the Macintosh community through their affiliation with art.

Talking to one of these jerks is as exciting as digging up your dead grandmother and trying to get her to converse with you (though as hard as it would be staring at the fetid, rotting corpse of a loved one, I'd probably rather do that than spend any time with one of these whining, pierced, star-tattooed morons). They are usually brain-dead to begin with and share a common brain with each other. If art and emo fags sharing a brain is anything like allowing multiple log-ins on a Linux server, you know the drag-and-lag I'm talking about: roughly as fast as a 4-way amputee quadriplegic fat man in a marathon, and about as sharp as a beach ball.

As easy as the Mac is to use, hardware- and software-wise, these people make it look like Apple has asked them to interface with the thing using assembler. With their eyes shut and using only their tongues to type on the keyboard. Inquiring as to what version of Mac OS they're running usually results in only being able to tell if it's either Mac OS X or not: "the old one," or "the new one," is about all you'll get. Hoping one of these sub-human poseurs knows anything about their Macs is hoping for too much. I swear to God these people bought their Macs to be different and not because they actually needed a computer that worked right.

Yeah, maybe Macs are computers for people who don't use computers. But dammit, man, if you're going to own a tool, be able to use it and maintain it. I've seen some of these idiots on high-speed connections that are 4 or 5 OS updates behind. My favorite are the clueless slags who run 9.0 on their Mac and refuse to upgrade to X for whatever reason and haven't even touched 9.1 or 9.2. I mean, if you refuse to move up to X, at least be running the latest Mac OS 9 update that you can.

Kansas City's a great place, don't get me wrong. But the "art" community here, as well as the emo scene, make being a Mac user a little embarrassing. Maybe it's just me, since I moved from an area that wasn't so saturated with subculture shittiness and gayness, but I am having a harder and harder time being the proud underdog Mac user with these vegan indy-rock retards standing in my corner.

Will I abandon the Mac because of them? No. The Mac experience is finally growing my leaps and bounds again after half a decade of holding pattern. But I will start kicking ass and taking names the next time I see some slobbering, giggling emo retardo talking about his new iBook or Power Mac G4 louder than necessary, letting people know how "different" he is.

And that's a promise.

Re:Methodology

[brunson]

I bet you John the Ripper would crack your password in a matter of hours. They've built rules into it to do those letter to number conversions.

8 Character limitation

[I_redwolf]

The reason is because a long time ago this was an inherent security hole at least the idea. In the good old days you could specify a password of unlimited chars, the first 8 characters were the only ones used and this has been buried deeply inside of *unix for quite sometime now. It's really not a security hole and maybe someday someone will sit down and change it.

Seemingly this exact question is asked every year around Jun/Jul/Aug. Weird, are people changing passwords around this time or what?

This has nothing to do with apple's darwin or any of that. It's really just the way things have been for quite sometime. If you feel like switching the code then go ahead. Just be prepared to break compatibility with alot of programs. Whats the big deal anyway?? Key size doesn't really have jack to do with this if you choose a proper password; numbers, letters, etc extended chars combined in one password would take sometime to crack and thats assuming the person can get your passwd file. Blah lemme not even start this debate =)

Jaguar?

[Van+Halen]

In Jaguar the BSD subsystem is supposed to be synchronized with the features of FreeBSD 4.4, which has MD5 passwords among other choices. I wonder if this means Jaguar will include that as well? Pure speculation, but it sure would be nice, both for security reasons and for more interoperability with other Unixes. I've got a few remote FreeBSD users that I'd like to add to my OS X machine, but I haven't found a good way to move the passwords over without resetting them completely.

crypt vs MD5

[Snuffub]

I think this was a decision to use the crypt (that might not be the name) algorithm over the more modern MD5 (again im not sure those are the right algorithms but its not relavent to the argument) while the first is limited to 8 characters ( you can have longer passwords, but you only need the first 8 to log in) it takes significantly more cycles to use therefor brute force attacks on short passwords take longer time, since most users dont have passwords longer than 8 characters anyway it makes sense for a consumer OS to use the former rather than the later seeing as 95% of passwords will be more secure with the more expensive algorithm because they dont take advantage of the extra length the more modern one provides.

at least i remember this being hte official explanation from apple, ill draw my own conclusion after a couple more semesters of algorithm lectures....

if it's true i take my hat off to apple for going for real security over the bigger numbers are better public theory.

There are worse problems

[anarkhos]

For example the 'passwd' data is readable by everybody via netinfo. netinfo has no read/write per user/group privileges.

I don't think the 8 character password limitation will go away any time soon. The problem is so many protocols use the 8 character limit like AppleShare.