[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
> Basically, crypt() is pretty much open to all-out attack because the
> password is only 8 characters long. Crypt is safe, but the way it is
> implemented on unix passwords is so weak as to make dictionary attacks
> easy.
>
there's a number of bsd os'es available that implement and support passwd
greater than 8 chars.
> There are many variations on this - the 8 character limit on passwords
> is a big hole.
>
the big hole is not the 8 char limit - the big hole is poor passwords. there's
only one type of password that is acceptable today: random gibberish (mean
gibberish - nothing phonetic even) created by a RNG seeded by a non
deterministic source (some good ones available). a really random 8 char
passwd will make brute force attack not much fun. now do this with 12 char
passwd and things start looking good.
have fun,
rich
References: