[MacTUG] OS X password length limit... not eight characters?

Steve Hellyer phasetwo at apple.com
Tue Dec 14 15:39:48 EST 2010 

Hi Mike and Daniel,

That article of 8 character limit was only on Mac OS X 10.0.  Honestly. don't know anyone running that. Oldest Mac OS X system with Intel Processor would be 10.4.6. (Jan 2006) Max length as Ian indicated is 128 characters. But again don't know any customer who uses that to the limit.  

Mike... I agree it's a bit miss leading but that is because it's taken a bit out of context of the whole chapter 3 Open Directory Authentication.
http://www.apple.com/server/macosx/resources/documentation.html

I think if one reads the whole chapter you get a better perspective on this whole subject.  Keeping in mind that the OD password manager is trying to resolve various authentication and hash methods to create a single password experience but using various encryption methods over wire and for storage.

This includes...

Mail (POP and iMAP)
VPN (PPTP and L2TP)
SMB or CIFS (NTLM v2 etc)
Telnet or SSH
AFP
Web (Basic or Digest)
Others...
 
More thoughts below...


On 2010-12-14, at 9:53 AM, Mike Patterson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 2010/12/14 8:50 AM, Ian Turner wrote:
>> and further in the OD Admin manual (some history which explains the 
>> original post - note it refers to OSX 10.0, which as noted below used 
>> Crypt passwords)
> 
> Some of what you quoted seems a bit misleading, see below... this isn't
> your fault, of course, but I'm curious and a bit taken aback so I wanted
> to raise it where Somebody Official Might See It.  :-)
> 
>> About Shadow Passwords
> [..]
>> computer as the directory domain where the user account resides. Because 
>> the password is not stored in the user account, the password is not easy 
>> to capture over the network.
> 
> I fail to see how this is true.  You use shadow passwords to ensure that
> somebody with local access to a machine (authorized or not) requires
> escalated privileges in order to see the password hashes.  Using shadow
> files can't protect you from network sniffing and was never intended to.

Not sure they were referring to or think of sniffing specifically.  How about user that leaves computer access active when they walk away?   If user password was stored in user account over the network it would then be easy to gain access to the password.  It is therefor not "easy" for average person to gain access to password.  There is more in the this chapter about this subject.

> 
>> About Crypt Passwords
>> A crypt password is stored in a hash in the user account. This strategy, 
>> historically named basic authentication,
> 
> I'm not sure what history the manual is referring to here.  I've only
> ever heard of basic authentication being used with respect to web-based
> authentication; basic versus digest.  On Unix machines, the use of crypt
> said nothing at all about shadowed password files or not.

Key word here is strategy.  It's not a method.  HTTP Basic access authentication method is definitely different than Crypt authentication.
In following paragraph writer refers to it as Crypt authentication.

Interestingly the web server (on Mac OS X) is Apache (httpd) and the password daemon htpasswd can use systems crypt() routine.
http://httpd.apache.org/docs/2.0/programs/htpasswd.html
They call this basic authentication.

> Granted, some of what the manual was talking about is possibly/probably
> with respect only to Apple methods, but it strikes me as confusing at
> best to overload the terms in the ways what Ian quoted seem to imply.  :\

Agreed. Too much information in the context of password length. Clearly we are using Kerberos where Active Directory is involved (Or at least I hope we are).
Not sending password over the wire is best strategy to protecting user accounts against knowledgeable people from sniffing passwords.

> Mike

Hope this helps,

Steve
-------------------------------------------------------
Steve Hellyer
Pre-Sales Systems Engineer
Education Division (Higher Education)
Apple Canada Inc.
7495 Birchmount Rd.
Markham, Ontario, Canada
L3R 5G2

PH: (905)513-5647
Mailto: phasetwo at apple.com

Training Websites
http://training.apple.com/
http://www.witzapplecertifiedtraining.com/

AppleCare Online Support
http://www.apple.com/ca/support/

AppleCare Technical Phone Support
tel:1-800-263-3394  (basic up and running support for individual consumers)

AppleCare Enterprise Level Support
http://www.apple.com/ca/support/products/macosxserver_sw_supt.html

AppleCare Service Locations (Canada)
http://www.apple.ca/buy/locator/
Select Service Locations from pull down menu

More information about the MacTUG mailing list