[MacTUG] OS X password length limit... not eight characters?

Ian Turner iturner at uwaterloo.ca
Tue Dec 14 08:50:10 EST 2010 

and further in the OD Admin manual (some history which explains the 
original post - note it refers to OSX 10.0, which as noted below used 
Crypt passwords)


Note: Open Directory passwords can’t be used to log in to Mac OS X v10.1 
or earlier. Users who log in using the login window of Mac OS X v10.1 or 
earlier must be configured to use crypt passwords. The password type 
doesn’t matter for other services. For example, a user of Mac OS X v10.1 
could authenticate for AFP service with an Open Directory password.

About Shadow Passwords
Shadow passwords support the same traditional authentication methods as 
Open Directory Password Server. These authentication methods are used to 
send shadow passwords over the network in a scrambled form, or hash.
A shadow password is stored as several hashes in a file on the same 
computer as the directory domain where the user account resides. Because 
the password is not stored in the user account, the password is not easy 
to capture over the network. Each user’s shadow password is stored in a 
different file, named a shadow password file, and these files are 
protected so they can be read only by the root user account.
Only user accounts that are stored in a computer’s local directory 
domain can have a shadow password. User accounts that are stored in a 
shared directory can’t have a shadow password.
Shadow passwords also provide cached authentication for mobile user 
accounts. For complete information about mobile user accounts, see User 
Management.

About Crypt Passwords
A crypt password is stored in a hash in the user account. This strategy, 
historically named basic authentication, is most compatible with 
software that needs to access user records directly. For example, Mac OS 
X v10.1 and earlier expect to find a crypt password stored in the user 
account.
Crypt authentication supports a maximum password length of eight bytes 
(eight ASCII characters). If a longer password is entered in a user 
account, only the first eight bytes are used for crypt password 
validation. Shadow passwords and Open Directory passwords are not 
subject to this length limit.
For secure transmission of passwords over a network, crypt supports the 
DHX authentication method.


On 2010/12/14 08:44 , Ian Turner wrote:
> and in the Open Directory Admin Manual for 10.6 (interesting, but of
> course not totally relevant because we authenticate from AD not OD
>
>
> The password must contain no more than 512 bytes (512 characters or
> fewer, depending on the language), although the network authentication
> protocol can impose different limits (for example, 128 characters for
> NTLMv2 and NTLM and 14 for LAN Manager). “Composing a Password” on page
> 105 provides guidelines for choosing passwords.
>
>
> ******
> thankfully, LAN Manager is now abolished here, I believe
>
> On 2010/12/14 08:37 , Ian Turner wrote:
>> from a "man passwd " in Snow Leopard
>>
>> The passwd utility changes the user's password.  If the user is not the
>> super-user, passwd first prompts for the current password and
>>         will not continue unless the correct password is entered.
>>
>>         When entering the new password, the characters entered do not
>> echo, in order to avoid the password being seen by a passer-by.  The
>>         passwd utility prompts for the new password twice in order to
>> detect typing errors.
>>
>>         The new password should be at least six characters long and not
>> purely alphabetic.  Its total length should be less than _PASSWORD_LEN
>>         (currently 128 characters), although some directory systems allow
>> longer passwords.  Numbers, upper case letters, and meta characters
>>         are encouraged.
>>
>>
>> On 2010/12/13 16:40 , Daniel Allen wrote:
>>> Googling "OS X password length" finds me the only official Apple
>>> support document that seems to mention password length:
>>>
>>> Mac OS X: Effective Password Length of Eight Characters
>>> http://support.apple.com/kb/TA20725
>>>
>>> Is there an effective limit? We're updating our password-changing
>>> process, and our Active Directory seems to accept 75+ character
>>> passwords without a problem. Preliminary checks seem to suggest the
>>> macs are fine with 90-character passwords, but I haven't tested many
>>> of the uses (eg, keychain).
>>>
>>> I'd mostly like to rule out some weird circumstance where the limit
>>> was still 8 characters (Leopard onward).
>>>
>>> Thanks,
>>> -Daniel
>>> _______________________________________________
>>> MacTUG mailing list
>>> MacTUG at lists.uwaterloo.ca
>>> https://lists.uwaterloo.ca/mailman/listinfo/mactug
>> _______________________________________________
>> MacTUG mailing list
>> MacTUG at lists.uwaterloo.ca
>> https://lists.uwaterloo.ca/mailman/listinfo/mactug
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug

More information about the MacTUG mailing list