Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eight-Character Password Limit in Mac OS X

Posted by pudge on from the welcome-to-bsd dept.

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

1 of 124 comments (clear)

  1. Re:Unsubstantiated . Is this News for Nerds? by Qwerpafw · · Score: 1, Redundant
    its rather nice that you doubt this. actually, I said "bull shit" directly to the face of the person who told me about this.

    The problem is that the problem is very real, and quite substantiated. Here is how to prove it:
    Step 1: Get a box with Mac OS X (okay, so this might not be possible for you, you'll just have to trust someone who does)
    Step 2: Make a new user. call him "bullshit" or whatever you want (actually, it was "root" in my case, which kind of makes this more upsetting).
    Step 3: Make this user's password something bigger than eight characters.
    Step 4: go to log in as this user. A quick way would be to go to the terminal, and type in "ssh user@localhost"
    Step 5: try typing in only the first eight digits of the users password. It will log in.
    Step 6: try typing in only the first eight digits of the user's password, followed by an entire dictionary full of garbage... again, it will log in.
    Step 7: Get pissed off at apple.
    Now, you can believe me or not. Its up to you. But ask anyone with a mac box to try this, and you will see...

    However, as an aside, I hear that apple may be fixing this in Mac OS X 10.2, aka Jaguar. This is because jaguar is supposed to unfiy the BSD core of Mac OS X with a fairly current BSD, like 4.4 or whatever. But, since I do not have jaguar, I really can't say either way. However, I know this is not a general (current) berkeley stantard distribution problem, so updating the BSD used by Mac OS X would probably fix this.