Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eight-Character Password Limit in Mac OS X

Posted by pudge on from the welcome-to-bsd dept.

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

1 of 124 comments (clear)

  1. Unix systems have been doing this for decades. by @madeus · · Score: 2, Troll

    Now, is it just me or does this article seem like a troll? Both from speaking to other users and from personal experience, loads of good articles get rejected then crap like this get's posted...

    Anyway...

    By default, Unix systems have typically had an 8 char password limit for decades. An 8 char limit for usernames, groupnames and passwords is part of the Unix standard.

    "Why?" I hear you ask...

    Well, deviating from this standard causes things like servers that often make use of authentication (e.g. FTP, Gopher, SSH, etc), NIS/NIS+ and various other local command line utilities to break. That's why you shouldn't deviate from the standard.

    Mac OS X, Darwin, AIX, Sco, Solaris, Irix, HP-UX, FreeBSD, OpenBSD, HURD and Linux all have this limit with DES passwords. Additionaly, all of these Operating Systems support alternative authentication mechanisims though (but you should *still* never have a user or group name longer than 8 chars).

    If you don't like it, you have the option to configure NetInfo to authenticate against another source, like say an OpenLDAP database, a Novell client or a Microsoft Active Directory server. If the system you are concerned about is a desktop system an 8 char passwd limit is your last problem, if it's a sever SSH can be configured to require an authentication certificate and so again, is a moot point.

    This is not even a remotely serious problem given the context. Anyone that thinks so is (a) so paranoid as to be mentally ill or (b) doesn't know enough about the topic to comment.

    This can't be stressed strongly enough: If you have data that's important (that is to say 'sensitive'), you should encrypt it, which is trivial to do by making a an encrypted disk image in Mac OS X (using Apple's included GUI utility: Disk Copy) then making it a login item and mounting it at login using scripts.