Welcome to the Builder Academy

Question Password Length

More
30 Oct 2013 19:35 #4448 by Parnassus
Password Length was created by Parnassus
Nok has pointed out that the password is limited to 8 characters in that all following characters are disregarded. This, in conjunction with this TMS forum thread:
www.topmudsites.com/forums/tavern-blue-h...-6-8-characters.html
makes me wonder...why? I know that at one time, max 8 was considered normal but I don't think it is, anymore. Now it seems to be considered insecure.

Help buffers says:
define MAX_PWD_LENGTH 30

structs.h says (okay, I don't know which version I'm looking at here):
00608: #define MAX_PWD_LENGTH 30 /**< Max PC password length */

Don't these indicate that the password is allowed to be 30 characters? Where is it defined that only 8 characters actually matter?

Also, is there a warning anywhere? I would think that the knowledge of this might make a difference when a person is actually making the password.

Please Log in or Create an account to join the conversation.

More
30 Oct 2013 21:33 #4450 by thomas
Replied by thomas on topic Password Length
The real reason for the age-old 8-character password limit comes from the library used to encrypt those passwords, crypt(). Here from "man crypt":

crypt() is the password encryption function. It is based on the Data
Encryption Standard algorithm with variations intended (among other
things) to discourage use of hardware implementations of a key search.

key is a user's typed password.

salt is a two-character string chosen from the set [a-zA-Z0-9./]. This
string is used to perturb the algorithm in one of 4096 different ways.

By taking the lowest 7 bits of each of the first eight characters of
the key, a 56-bit key is obtained. This 56-bit key is used to encrypt
repeatedly a constant string (usually a string consisting of all
zeros). The returned value points to the encrypted password, a series
of 13 printable ASCII characters (the first two characters represent
the salt itself).

However, in more modern versions of crypt() it will encrypt with either MD5, SHA-256 or SHA-512, taking all characters into account. This happens automatically if a newer library (glibc2) is accessible on the platform.

The 30-byte limit is on the input buffer, and was also used in the pre-ascii pfiles.

Please Log in or Create an account to join the conversation.

Time to create page: 0.175 seconds

tbaMUD © 2024