Years ago it used to be the case that Unix passwords were limited to 8 characters, or that if you made the password longer than 8 characters the extra wouldn't make any difference.
Is that still the case on most modern Unix/Linux systems?
If so, around when did longer passwords become possible on most systems?
Is there an easy way to tell if a given system supports longer passwords and if so, what the effective maximum (if any) would be?
I've done some web searching on this topic and couldn't really find anything definitive; much of what came up was from the early 2000s when I think the 8 character limit was still common (or common enough to warrant sticking to that limit).
It depends on which authentication module is used. In modern Linux systems, there is no maximum limit on password length. Some obsolete systems might have limits imposed by their password storage system -- popular maximums seem to be 8, 40, and 255. Save this answer.
Passwords in unix were originally stored in /etc/passwd (which is world-readable), but then moved to /etc/shadow (and backed up in /etc/shadow-) which can only be read by root (or members of the shadow group). The password are salted and hashed.
UNIX password encryption uses the DES algorithm 25 times in a row. The first DES round uses 64 0-bits as input and encrypts them with the password the user inputs, with a permutation taking place during the encryption process. There are 4096 possible permutations. The permutation used is randomly chosen for each user.
minlen=8(minimum length of a password)
Although the original DES-based algorithm only used the first 8 characters of the password, Linux, Solaris, and other newer systems now additionally support other password hash algorithms such as MD5 which do not have this limit. Sometimes it is necessary to continue using the old algorithm if your network contains older systems and if NIS is used. You can tell that the old DES-based algorithm is still being used if the system will log you in when you enter only the first 8 characters of your >8-character password.
Because it is a hash algorithm, MD5 does not have an intrinsic limit. However various interfaces do generally impose some limit of at least 72 characters.
Although originally the encrypted password was stored in a world-readable file (/etc/passwd
), it is now usually stored in a separate shadow database (e.g. /etc/shadow
) which is only readable by root. Therefore, the strength of the algorithm is no longer as important as it once was. However if MD5 is inadequate, Blowfish or SHA can be used instead on some systems. And Solaris supports pluggable password encryption modules, allowing you to use any crazy scheme. Of course if you are using LDAP or some other shared user database then you will need to select an algorithm that is supported on all of your systems.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With