As far as usability goes. It is more usable to let users type whatever they want. If you limit a user to 8 caracters someone is definatly going to be disaponited.
Say I want to use famous dictators as passwords (most people have to have easy analogies like this, it's how our brain works). But when I try typing Mussolini I'm stuck with Mussolin. How the hell am I supposed to remember that?
If the system only counts the first 8 symbols and that is secure enough, the fine! no problem, just let me use whatever password I want...
btw, Are passwords with less than 8 caracters less secure? huh, got to run over to System prefs. and change my password then...
<strong>Say I want to use famous dictators as passwords</strong><hr></blockquote>
That's a bad idea in the first place. A l33t h4x0r could use a bruteforce too with a dictionary and might be able to find out the password in few minutes.
[quote]<strong>(most people have to have easy analogies like this, it's how our brain works). But when I try typing Mussolini I'm stuck with Mussolin. How the hell am I supposed to remember that?</strong><hr></blockquote>
You aren't. You can remember "Mussolini" and *type* "Mussolini", too. Nothing will go wrong, only that only "Mussolin" will be *checked* internally, but you won't have to care about that.
[quote]<strong>btw, Are passwords with less than 8 caracters less secure?</strong><hr></blockquote>
Well of course. The less characters, the less possible combinations.
10.2 has a modular authentication architecture - open Directory Access to see some of the options. Unix crypt may not be the encryption used, so the login dialog cannot limit the field.
The 8 character thing is kinda ghey (gei?), as already mentioned. Every Unix-like system, after all, has one user in common: the super-user. So I know your system can be logged into as 'root', and with a Max of 8 chars in your password, bruteforce methods (trying every possible combination, starting with the most likely) it really is only a matter of time before it gets cracked.
<strong>It would be nice if Apple was ahead of the curve and used MD5 passwords or something similar without the 8 char limit.
By the way, there are 95^8 = 6634204312890625 possible passphrase combinations as it stand.</strong><hr></blockquote>
Yes and as I stated a few posts earlier, it would take months for a computer to try that many passwords. Having even 11 or 12 characters would take a TeraHz computer a few hundred years to try each password.
8 characters is quite adequate for most access security needs. Accepting more than eight characters at login just makes picking a password easier.
I can see a slightly more practical reason for concern here:
A user, knowing well enough not to use a lone standard word for a password, might come up with 'kangaroo123boog' as a password.
Yet someone trying to crack the pass using a simple dictionary file would strike gold with just 'kangaroo'. The secuity of an 8 character password is probably fine for a desktop OS, but Apple's implementation might cause trouble.
<strong>I can see a slightly more practical reason for concern here:
A user, knowing well enough not to use a lone standard word for a password, might come up with 'kangaroo123boog' as a password.
Yet someone trying to crack the pass using a simple dictionary file would strike gold with just 'kangaroo'. The secuity of an 8 character password is probably fine for a desktop OS, but Apple's implementation might cause trouble.
But, then again, it's probably no big deal.
-robo</strong><hr></blockquote>
Actually you can't set a password with more than eight characters.
I keep my password as eight random lower-cased letters. (i.e. qpnrvtxi)
AFAIK, one can call it an unwanted feature. OS X should definitely allow for much longer passwords. Just because the limitation is a Unix standard, that certainly doesn't make it beyond reproach. I'm not going to lose much sleep over it, but I empathize with those who may.
Comments
Say I want to use famous dictators as passwords (most people have to have easy analogies like this, it's how our brain works). But when I try typing Mussolini I'm stuck with Mussolin. How the hell am I supposed to remember that?
If the system only counts the first 8 symbols and that is secure enough, the fine! no problem, just let me use whatever password I want...
btw, Are passwords with less than 8 caracters less secure? huh, got to run over to System prefs. and change my password then...
<strong>Say I want to use famous dictators as passwords</strong><hr></blockquote>
That's a bad idea in the first place. A l33t h4x0r could use a bruteforce too with a dictionary and might be able to find out the password in few minutes.
[quote]<strong>(most people have to have easy analogies like this, it's how our brain works). But when I try typing Mussolini I'm stuck with Mussolin. How the hell am I supposed to remember that?</strong><hr></blockquote>
You aren't. You can remember "Mussolini" and *type* "Mussolini", too. Nothing will go wrong, only that only "Mussolin" will be *checked* internally, but you won't have to care about that.
[quote]<strong>btw, Are passwords with less than 8 caracters less secure?</strong><hr></blockquote>
Well of course. The less characters, the less possible combinations.
Re. Being able to type more that 8 chars:
10.2 has a modular authentication architecture - open Directory Access to see some of the options. Unix crypt may not be the encryption used, so the login dialog cannot limit the field.
Some hacker should fix this daft 'feature'
actually, root user is disabled by default in OSX, so any hacker who tried would spend the vast majority of their time pissing up a metaphorical rope.
By the way, there are 95^8 = 6634204312890625 possible passphrase combinations as it stand.
<strong>It would be nice if Apple was ahead of the curve and used MD5 passwords or something similar without the 8 char limit.
By the way, there are 95^8 = 6634204312890625 possible passphrase combinations as it stand.</strong><hr></blockquote>
Yes and as I stated a few posts earlier, it would take months for a computer to try that many passwords. Having even 11 or 12 characters would take a TeraHz computer a few hundred years to try each password.
8 characters is quite adequate for most access security needs. Accepting more than eight characters at login just makes picking a password easier.
A user, knowing well enough not to use a lone standard word for a password, might come up with 'kangaroo123boog' as a password.
Yet someone trying to crack the pass using a simple dictionary file would strike gold with just 'kangaroo'. The secuity of an 8 character password is probably fine for a desktop OS, but Apple's implementation might cause trouble.
But, then again, it's probably no big deal.
-robo
<strong>I can see a slightly more practical reason for concern here:
A user, knowing well enough not to use a lone standard word for a password, might come up with 'kangaroo123boog' as a password.
Yet someone trying to crack the pass using a simple dictionary file would strike gold with just 'kangaroo'. The secuity of an 8 character password is probably fine for a desktop OS, but Apple's implementation might cause trouble.
But, then again, it's probably no big deal.
-robo</strong><hr></blockquote>
Actually you can't set a password with more than eight characters.
I keep my password as eight random lower-cased letters. (i.e. qpnrvtxi)