10 Replies Latest reply on Sep 10, 2008 4:53 PM by 807557

    passwd bug?

      There's some password on solaris 10 5/08 (SPARC) and opensolaris 2008.05 (x86) that are validated with 'password*'. You enter the password + random chars (the * in my example) and you can loggin. I also have some problem with when I used for example 'qwerty1', then I change for 'asdf2' and finally 'qwerty1asdf2'. After I can loggin with 'qwerty1*'. I also try some password like 'Qwerty1&' and after I was able to loggin with 'Qwerty1*'. That's weird because it doesn't work with every password. So if you brute force with a N chars password, you try ~N password in one try.

      Am I the only one with this problem?
        • 1. Re: passwd bug?
          maybe is because the password only takes the first 8 characters as password by default... the rest is ignored.
          Check the file /etc/default/passw for more info..

          I hope it helps
          • 2. Re: passwd bug?
            I'm on a default installation of s10 5/08. The only thing I found in /etc/default/passwd is
            I don't understand why you could want to use the first 8 chars and ignore everything after and still accept the password?
            • 3. Re: passwd bug?
              Ok 6 chars it's been using by default sorry.

              Change it and match the size you want in your passwords.
              • 4. Re: passwd bug?
                PASSLENGTH is for setting the minimum length of the password, not to ignore the chars pass the sixth char... The problem is that if I set a password 'qwerty' I can loggin with 'qwertyfdsagfagfdgfds' or 'qwerybvxkrejfdasjkk'... everything like 'qwerty*' is accepted.
                • 5. Re: passwd bug?
                  The behavior you describe is expected when using the default "crypt_unix" password encryption scheme. This scheme will only encrypt the first eight characters of a password, and thus only the first eight characters need to match when the password is typed in again. It is not a "bug", but a known limitation of the algorithm - it is largely kept around for backward compatibility, and unfortunately is set as the default on Solaris systems when installed.

                  To resolve this, set your OS to use MD5 or Blowfish algorithms instead of crypt_unix.

                  This can be changed in the /etc/security/policy.conf file. You can set crypt algorithms to allow, and there is also a setting to deprecate (forbid) the use of the "crypt_unix" algorithm and change the default to a more secure one.

                  See your "Solaris 10 System Administration Guide: Security Services" for more information.

                  (Relevent section linked here.)
                  • 6. Re: passwd bug?
                    Seriously a big thanks! I didn't find anything about this particularity after a lot of googling and searching on forums. Wrong key words I guess...
                    • 7. Re: passwd bug?
                      Happy to help!

                      The irony is that some organizations insist on longer passwords (ten or 13 characters) for accounts, but never realize that only eight characters will be checked, so their "increased security" is just an illusion.
                      • 8. Re: passwd bug?
                        Actually you can change the default encryption which as already noted is up to 8 characters.

                        See this link: http://docs.sun.com/app/docs/doc/819-3321/secsystask-42?a=view

                        1 and 5 are 2 versions of md5, 2a is blowfish.

                        Using these gives you a password length of 255 characters.


                        • 9. Re: passwd bug?
                          Actually, the "old" algorithm still gives you about 1.677.721.600.000.000 ( = 80^8 considering 80 actually typeable characters.. a-zA-Z0-9 and the various signs and punctuation stuff) possible passwords.
                          People who are unable to pick a secure password with 8 chars, won't be able to pick one with 12 or 255 chars either. Even the longest password won't protect you from fools using '12345678' or 'password'.
                          Some social problems simply can't be solved technologically.
                          • 10. Re: passwd bug?
                            Some environments have minimum password lengths >8 so they would be impacted.