[SOLVED] Password Bug (entire password not required)
Posts: 1109
I use a long password for extra security...
Well, I thought I had extra security. I recently read a review of SimplyMEPIS that pointed out a flaw where only 8 characters of the password are required.
To my surprise, when I tried logging in as root with only 8 characters of my longer password, it takes it.
Isn't this a serious security flaw that needs to be addressed?
More info
Posts: 380
This is an old thread, but it's probably still applicable: http://www.mepislovers.org/modules/newbb/viewtopic.php?topic_id=8272
Thanks for The Reference
Posts: 5513
DaveL, thanks for the reference. I went out to see if I could find a little more on the history of the maximum length.
For those who don't know, the password you enter is stored in /etc/passwd or /etc/shadow as a hash, not encrypted. What that means is that it is one way. When you enter a password, it is run through the crypt algorithm that maps multiple characters to single characters. For that reason you cannot decrypt the password. You can however find a match using a "dictionary search".
But the 8 character limit is due to history. Here are some links I found:
google search: "password length site:tldp.org" (without quotes)
Linux Shadow Password HOWTO: Why shadow your passwd file?
http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-2.html
Gives some detail on how the crypt function works
google search: "password length site:tldp.org md5"
Securing Debian HOWTO - After Installation
http://es.tldp.org/Presentaciones/200103hispalinux/jfs2/html/ch4.html
Appears to be somewhat dated, but gives reference to /etc/pam.d/passwd file. I don't know if/whether this is applied in Mepis, but I don't think so.
I'll see if I can find out more later 
Jon
Solved
Posts: 1109
I read a new review of SimplyMEPIS 6.0 this morning and the author figured out that all you have to do is use the passwd command from a console and a longer password works:
http://www.free-bees.co.uk/articles/simplymepis6/
So, it appears that the MEPS install screens are the culprit, not the distro itself (the install screens apparently truncate whatever password you type to 8 characters).
So, just open a console to set it to a longer password using the passwd command. I just tried this with SimplyMEPIS 6.0 and it works (if you use a longer password, the login screens will now require it, since the passwd command isn't truncating it like the MEPIS install screens do).
Open Konsole as root, then type
passwd
Jim C.
Thanks Again Jim
Posts: 5513
I just saw this post too Jim. See my comments on the previous post
http://www.mepis.org/node/11096
Jon
Not A Bug
Posts: 5513
Hi Jim. No, this isn't a bug or flaw. It is a known issue with different Linux distributions when the passwords are designed to be compatible with traditional Unix. The older password method only hashed 8 characters of a password (just like your user name could only be 8 characters). All others were ignored as you have found out.
Newer versions of Linux usually have an option to choose the older, less secure password hashing, or the newer md5 (and other) methods of password hashing.
Now, I will step beyond my knowledge. Because I thought, like you, that Mepis used the newer methods of password hashing.
Can one of the Mepis "Esperts" shed more light on this? Is there a way, like in SUSE to choose the type of password hashing? If so, what/where is it?
Jon