ADAMS@INTELLICORP.COM (Kevin Adams) (08/15/90)
I would like to comment on the restriction Apple places on the maximum length a password associated with an AppleShare server can be. Currently, one can have only up to 6 characters. From a security standpoint, this seems to be too few. Most timesharing/server operating systems provide for passwords up towards 16 or 32 characters. Now, realistically, nobody uses much more than, say, 10. The 6 character length restriction really starts to become a problem when the password file used by AppleShare serves double duty, that is, is also used to authenticate users of large timesharing/server systems (i.e. Unix, VMS, etc.). More to the point, other systems provide ways of forcing or encourging longer passwords. This is critical when your password database is largely centralized and referenced by many different security agents. It is my feeling and desire to see AppleShare support password lengths much more in line with other systems. The purpose of this message is not to provoke a discussion on passwords and security. But, rather, to find out if anyone else has the same thoughts and views on the topic. If so, how you deal with this problem. Of course, my ideal solution would be for Apple to increase the maximum password length. Anyone know if Apple has plans to do this? Kevin Adams Adams@IntelliCorp.Com -------
barry@sun.udel.edu (Barry Fausnaugh) (08/15/90)
In article <Added.Eam9PV200jZd83cE9c@andrew.cmu.edu> ADAMS@INTELLICORP.COM (Kevin Adams) writes: >only up to 6 characters. From a security standpoint, this seems to be too few. >Most timesharing/server operating systems provide for passwords up towards >16 or 32 characters. Now, realistically, nobody uses much more than, say, 10. I have had AppleShare type passwords which are longer than 6 characters. Perhaps you could elaborate on the circumstances of your 6 character password limit. For example, what version of AppleShare are you using? Barry Fausnaugh
denbeste@bgsuvax.UUCP (William C. DenBesten) (08/16/90)
From article <Added.Eam9PV200jZd83cE9c@andrew.cmu.edu>, by ADAMS@INTELLICORP.COM (Kevin Adams): > I would like to comment on the restriction Apple places on the maximum length > a password associated with an AppleShare server can be. Currently, one can have > only up to 6 characters. From a security standpoint, this seems to be too few. I think that this actually prevents a bigger problem: I know how to find out all the user names and passwords, given a users & groups file. If the passwords are the same as on the mainframe, the mainframe security can be instantly and widely compromised. To prevent this from happening at your site, do 3 things: 1) keep your server physically secure, so no one can reboot with a floppy to copy your users & groups file. 2) don't leave copies of users and groups outside of your server folder. 3) keep all backups that contain users and groups secure. 1 & 3 are also important from the standpoint of protecting user files, but we all know that, don't we :-).
kraig@milton.u.washington.edu (Kraig Eno) (08/16/90)
>>Most timesharing/server operating systems provide for passwords up towards >>16 or 32 characters. Now, realistically, nobody uses much more than, say, 10. > >I have had AppleShare type passwords which are longer than 6 characters. >Perhaps you could elaborate on the circumstances of your 6 character >password limit. For example, what version of AppleShare are you using? > >Barry Fausnaugh I agree that longer passwords should be acceptable. Using Chooser 3.5 and AppleShare 2.0.2, if I try to enter a password longer than 8 characters, it yells at me. The reason this is important is that my "AppleShare" servers are actually Unix machines (accessed via NFS through a GatorBox), and my passwords can easily be over 8 characters long. The authentication is done against the /etc/passwd file on a Unix host, so I MUST use the password that I've set with the passwd command there. It's OK for me because I know what's going on, but in a production environment the normal user would not know to limit his host password length until later when (s)he was denied access via the chooser. This is inconvenient at best, and should be a very easy change in the next version. Kraig Eno kraig@biostr.washington.edu
dorner@pequod.cso.uiuc.edu (Steve Dorner) (08/16/90)
In article <6365@milton.u.washington.edu> kraig@milton.u.washington.edu (Kraig Eno) writes: >yells at me. The reason this is important is that my "AppleShare" servers >are actually Unix machines (accessed via NFS through a GatorBox), and my >passwords can easily be over 8 characters long. The UNIX's I use on a regular basis (DEC, NeXT, Sun, Convex, Sequent, Pyramid, 4.3bsd) will allow you to type as many characters as you like for your password, but blithely ignore all but the first 8. So you don't really have to worry in regard to UNIX. (I agree that passwords shouldn't be limited to 8 characters, though.) -- Steve Dorner, U of Illinois Computing Services Office Internet: s-dorner@uiuc.edu UUCP: {convex,uunet}!uiucuxc!dorner
Dave_Brent@MTSG.UBC.CA (08/16/90)
I ran into the same problem, and discovered that some Unix systems only seem to use the first 8 characters (at least for *my* password). This appears true for SunOS at least. I discovered this when I used Appleshare and Aufs for the first time, which only used the first 8 characters of my password, and I got on! Dave Brent, UBC Computing Services (but not for long) brent@staff.ucs.ubc.ca
Dave_Brent@MTSG.UBC.CA (08/16/90)
Actually, I just looked at the man page for passwd and it states that there is an 8 character limit on the password (although longer passwords will be accepted) ... Dave