I recently looked through the source of the shadow-packet and discovered
that, given a password longer than 8 characters, the routine pw_encrypt
simply splits it into two parts, one being the first 8 characters, the other
being the rest. These get encrypted separatly, and the result is stored
This looks like an invitation for a security hole to me - most people (me
included) tend to think "A long password is a good password". And, as we all
know, a password should containn some punctuation and some non-letters. Now
Crack. One part that is encrypted is just some variation of "receiver", the
other one is only three characters long.
So the long passwords in the current shadow implementation look more like
two passwords to Crack, one of which can probably broken by brute force
(even the second part of a 13 character password could be found within a
couple of hours), the other one probably less obscured by digits/punctuation
than a standard one.
My advice for system administrators thus seems to be: "Either force your
users to use REALLY long words and make sure that they know the way the
passwords are encrypted, or recompile the shadow stuff without the option
for long passwords enabled."
We both know that the earth is round | Bernd Meyer, EE-student
So we can't see the way before us to its end | "Nobody is a failure who has
We walk on this way, hand in hand, | friends" (from: isn't it a
And I hope you are still with me behind the horizon| wonderful life?"