Eight-Character Password Limit in Mac OS X
Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...
As a computer geek who married into the the "art" community I think you have it backwords. I've seen a community mired in Macs. Most of the people I talk to in the "art" community don't know you can get Photoshop for Windows. Just because Macs were best for graphics five to ten years ago doesn't mean they still are. They are proud of using iMacs with tiny 15" monitors.
BTW, the bold makes it clear you're a nut even before I started reading.I hit the karma cap, and all i got was this lousy sig.Key size doesn't really have jack to do with this if you choose a proper password; numbers, letters, etc
What if I choose a key size of one bit? That might matter..
cpeterso
The manpage for passwd(1) in Mac OS X 10.1.5 claims that password hashes can be in one of three formats, including MD5. An md5 password can be up to 255 characters, so where do we get this 8 character limit?
This story could be true, but it doesn't seem likely on the face of it.
Please followup with a verifiable citation or some sort. Otherwise this is a silly rumour.
Thank you
This is simply not true. OS X recognizes passwords greater than 8 characters. I myself have a 9 character password. The confusion I think arose because the in the Password tab of the user window it only displays up to 8 *'s for a mask.
.sig error: carrier signal lost.
Now, is it just me or does this article seem like a troll? Both from speaking to other users and from personal experience, loads of good articles get rejected then crap like this get's posted...
Anyway...
By default, Unix systems have typically had an 8 char password limit for decades. An 8 char limit for usernames, groupnames and passwords is part of the Unix standard.
"Why?" I hear you ask...
Well, deviating from this standard causes things like servers that often make use of authentication (e.g. FTP, Gopher, SSH, etc), NIS/NIS+ and various other local command line utilities to break. That's why you shouldn't deviate from the standard.
Mac OS X, Darwin, AIX, Sco, Solaris, Irix, HP-UX, FreeBSD, OpenBSD, HURD and Linux all have this limit with DES passwords. Additionaly, all of these Operating Systems support alternative authentication mechanisims though (but you should *still* never have a user or group name longer than 8 chars).
If you don't like it, you have the option to configure NetInfo to authenticate against another source, like say an OpenLDAP database, a Novell client or a Microsoft Active Directory server. If the system you are concerned about is a desktop system an 8 char passwd limit is your last problem, if it's a sever SSH can be configured to require an authentication certificate and so again, is a moot point.
This is not even a remotely serious problem given the context. Anyone that thinks so is (a) so paranoid as to be mentally ill or (b) doesn't know enough about the topic to comment.
This can't be stressed strongly enough: If you have data that's important (that is to say 'sensitive'), you should encrypt it, which is trivial to do by making a an encrypted disk image in Mac OS X (using Apple's included GUI utility: Disk Copy) then making it a login item and mounting it at login using scripts.
The thing that scares me about keychain is that passwords can be viewed in plain text. On multi user systems this gets to be a BIG problem. For instance where I work we have a osx box in a lab. I am in charge of maintaining it. On a typical day we get about 5 users on it. Now if I were evil and wanted to know their network passwords( which is probably the same password that they use for everything ) all I have to do is go in keychain enter an Admin password and blammo, I've got it.