Eight-Character Password Limit in Mac OS X

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

Re:Methodology

[brunson]

I bet you John the Ripper would crack your password in a matter of hours. They've built rules into it to do those letter to number conversions.

8 Character limitation

[I_redwolf]

The reason is because a long time ago this was an inherent security hole at least the idea. In the good old days you could specify a password of unlimited chars, the first 8 characters were the only ones used and this has been buried deeply inside of *unix for quite sometime now. It's really not a security hole and maybe someday someone will sit down and change it.

Seemingly this exact question is asked every year around Jun/Jul/Aug. Weird, are people changing passwords around this time or what?

This has nothing to do with apple's darwin or any of that. It's really just the way things have been for quite sometime. If you feel like switching the code then go ahead. Just be prepared to break compatibility with alot of programs. Whats the big deal anyway?? Key size doesn't really have jack to do with this if you choose a proper password; numbers, letters, etc extended chars combined in one password would take sometime to crack and thats assuming the person can get your passwd file. Blah lemme not even start this debate =)

Jaguar?

[Van+Halen]

In Jaguar the BSD subsystem is supposed to be synchronized with the features of FreeBSD 4.4, which has MD5 passwords among other choices. I wonder if this means Jaguar will include that as well? Pure speculation, but it sure would be nice, both for security reasons and for more interoperability with other Unixes. I've got a few remote FreeBSD users that I'd like to add to my OS X machine, but I haven't found a good way to move the passwords over without resetting them completely.

crypt vs MD5

[Snuffub]

I think this was a decision to use the crypt (that might not be the name) algorithm over the more modern MD5 (again im not sure those are the right algorithms but its not relavent to the argument) while the first is limited to 8 characters ( you can have longer passwords, but you only need the first 8 to log in) it takes significantly more cycles to use therefor brute force attacks on short passwords take longer time, since most users dont have passwords longer than 8 characters anyway it makes sense for a consumer OS to use the former rather than the later seeing as 95% of passwords will be more secure with the more expensive algorithm because they dont take advantage of the extra length the more modern one provides.

at least i remember this being hte official explanation from apple, ill draw my own conclusion after a couple more semesters of algorithm lectures....

if it's true i take my hat off to apple for going for real security over the bigger numbers are better public theory.

There are worse problems

[anarkhos]

For example the 'passwd' data is readable by everybody via netinfo. netinfo has no read/write per user/group privileges.

I don't think the 8 character password limitation will go away any time soon. The problem is so many protocols use the 8 character limit like AppleShare.