Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eight-Character Password Limit in Mac OS X

Posted by pudge on from the welcome-to-bsd dept.

Qwerpafw writes "While there have been the usual small announcements about Mac OS X security problems, there has been nothing so major as to make me worry about the security of my own box. However, I recently learned that for some reason, Mac OS X only understands passwords of up to 8 characters. Any other characters typed in are discarded as 'garbage.' Well, this worried me, as 8 characters is generally regarded as a rather small keysize, with only 256^8 maximum possibilities (or about 1.845 * 10^19). This is a very real hole in Mac OS X. To make things worse, I was able to find no mention of this at Apple's website, and you are never alerted of this when trying to enter password greater than eight characters." This is generally not regarded a security "hole", and has existed in BSD for many years (though most current BSDs have moved beyond the limitation). It is something to be aware of, and it would be nice if there were a workaround ...

1 of 124 comments (clear)

  1. lapprox 96^8 = 7213895789838336 possible passwords by ChadN · · Score: 5, Insightful

    Let's say we could use any of approximately 96 printable ASCII characters (in actuality, the password may allow non-printable, or international characters)

    Also, let's assume passwords must be at LEAST 4 characters (I don't know what restrictions, if any, are applicable to MacOS X).

    Then we have 96^8 + 96^7 + 96^6 + 96^5 + 96^4 = 7289831534100480 passwords.

    So, assuming about 10% of those are "guessable" by standard dictionary cracking methods (a ridiculously high amount), you have 728983153410048 non-guessable passwords (about 2^52).

    That is A LOT to brute force. That doesn't even take into account the use of 'salts' to help discourage dictionary attacks.

    So, true, allowing longer passwords would be nice. But it isn't even close to a troubling limitation.
    If you need more protection for your data, use mcrypt.

    A bigger concern would be if Mac OS X didn't use a shadow password file (anyone?), and if it doesn't at least to a rudimentary check to disallow easily guessable passwords. I assume Mac OS X can be configured to be insecure (boot up into desktop without a password), or more secure (passords required, easy passwords disallowed, etc.)

    --
    "It's overkill, of course. But you can never have too much overkill." - Anonymous Slashdot Coward