Quote:>> But if you've chosen to use DES, you'll be limited to 8 character passwords,
>> last I heard, and any extra characters will probably be ignored as you say.
>True, DES does ignore everything after the 8th character.
Actually, DES can easily handle longer password. It is the standard
DES-based password encryption program that is limited to 8 characters.
You can go into the source code and change that, if you feel like it.
I don't think that would mess up anything else, but I'm not sure.
One easy change, that I am fairly sure would work without problems,
is to alter the way the salt is handled. E.g. reverse the order of
the two-character salt, then pass it on the the normal password
encryption program. That seems like a simple and transparent change,
but it would prevent someone running a crack-like program on another
machine from learning anything from your passwd file.
Quote:>1. Are longer passwords safer than 8 character DES passwords?
I don't think so. Working through all 2^56 possibilities for
an 8 bit password is still computationally impossible. I think
the real issue is weak versus strong passwords. E.g. ``secret''
is a very bad password but within the 8 character limit; ``verysecret''
would still be a very bad password even though it uses more
than eight characters. Basically, you want to make sure passwords
are hard to guess (and, these days, ``easy to guess'' means
pretty much any word, or combination of words, that can be
found in any dictionary, list of names, etc.) I don't think
an 8 character limit really restricts the choices of strong
passwords. I can see some advantage, but I really think the
problem is to get all of your users to adopt strong passwords.
rather than allowing them to use longer, maybe-strong-maybe-weak