Quote:
|
Originally Posted by Phil21
borked,
yep, FreeBSD does not use standard DES crypt, which is explained in the man page. Which was basically my entire point 
For systems that DO use standard DES crypt (the majority, I would assume), there is absolutely an 8 character limit. This is what the OP was running into, not some strange "salt doesn't matter" etc. issue. Just a well known, designed in, and documented character limit.
Just to re-iterate since my point seems to be entirely lost.
THE PASSWORD HASHES ARE THE SAME BECAUSE THE PASSWORD IS THE SAME.
Again.
THE PASSWORD HASHES ARE THE SAME BECAUSE THE PASSWORD IS THE SAME.
12345678 is EXACTLY THE SAME as 12345678abcdefg for standard DES crypt.
There is no security issue here, if you don't like the 8 character limit either run a different OS (FreeBSD) or simply use different a compatible but different crypt() function (yes, Apache's htpasswd can be updated, as well as perl's, whatever)
Peace,
-Phil |
Well, you're right!
The limit is 8 chars.
I only got into the salt debate because someone posted that the problem could be fixed with random salt.
The only fix is to limit passwords to 8 chars or use something other than crypt()
Well, at least I discovered some really smart people in this post which made it all worth my time.
Thanks for all the replies and "battles" hehehe!