10 Replies Latest reply on Sep 10, 2008 4:53 PM by 807557

    passwd bug?

    807557
      There's some password on solaris 10 5/08 (SPARC) and opensolaris 2008.05 (x86) that are validated with 'password*'. You enter the password + random chars (the * in my example) and you can loggin. I also have some problem with when I used for example 'qwerty1', then I change for 'asdf2' and finally 'qwerty1asdf2'. After I can loggin with 'qwerty1*'. I also try some password like 'Qwerty1&' and after I was able to loggin with 'Qwerty1*'. That's weird because it doesn't work with every password. So if you brute force with a N chars password, you try ~N password in one try.

      Am I the only one with this problem?
        • 1. Re: passwd bug?
          807557
          maybe is because the password only takes the first 8 characters as password by default... the rest is ignored.
          Check the file /etc/default/passw for more info..

          I hope it helps
          • 2. Re: passwd bug?
            807557
            I'm on a default installation of s10 5/08. The only thing I found in /etc/default/passwd is
            MAXWEEKS=
            MINWEEKS=
            PASSLENGTH=6
            I don't understand why you could want to use the first 8 chars and ignore everything after and still accept the password?
            • 3. Re: passwd bug?
              807557
              Ok 6 chars it's been using by default sorry.

              Change it and match the size you want in your passwords.
              • 4. Re: passwd bug?
                807557
                PASSLENGTH is for setting the minimum length of the password, not to ignore the chars pass the sixth char... The problem is that if I set a password 'qwerty' I can loggin with 'qwertyfdsagfagfdgfds' or 'qwerybvxkrejfdasjkk'... everything like 'qwerty*' is accepted.
                • 5. Re: passwd bug?
                  807557
                  The behavior you describe is expected when using the default "crypt_unix" password encryption scheme. This scheme will only encrypt the first eight characters of a password, and thus only the first eight characters need to match when the password is typed in again. It is not a "bug", but a known limitation of the algorithm - it is largely kept around for backward compatibility, and unfortunately is set as the default on Solaris systems when installed.

                  To resolve this, set your OS to use MD5 or Blowfish algorithms instead of crypt_unix.

                  This can be changed in the /etc/security/policy.conf file. You can set crypt algorithms to allow, and there is also a setting to deprecate (forbid) the use of the "crypt_unix" algorithm and change the default to a more secure one.

                  See your "Solaris 10 System Administration Guide: Security Services" for more information.

                  (Relevent section linked here.)
                  • 6. Re: passwd bug?
                    807557
                    Seriously a big thanks! I didn't find anything about this particularity after a lot of googling and searching on forums. Wrong key words I guess...
                    • 7. Re: passwd bug?
                      807557
                      Happy to help!

                      The irony is that some organizations insist on longer passwords (ten or 13 characters) for accounts, but never realize that only eight characters will be checked, so their "increased security" is just an illusion.
                      • 8. Re: passwd bug?
                        807557
                        Actually you can change the default encryption which as already noted is up to 8 characters.

                        See this link: http://docs.sun.com/app/docs/doc/819-3321/secsystask-42?a=view

                        1 and 5 are 2 versions of md5, 2a is blowfish.

                        Using these gives you a password length of 255 characters.

                        HTH

                        Dean
                        • 9. Re: passwd bug?
                          807557
                          Actually, the "old" algorithm still gives you about 1.677.721.600.000.000 ( = 80^8 considering 80 actually typeable characters.. a-zA-Z0-9 and the various signs and punctuation stuff) possible passwords.
                          People who are unable to pick a secure password with 8 chars, won't be able to pick one with 12 or 255 chars either. Even the longest password won't protect you from fools using '12345678' or 'password'.
                          Some social problems simply can't be solved technologically.
                          • 10. Re: passwd bug?
                            807557
                            Some environments have minimum password lengths >8 so they would be impacted.

                            Dean