On Fri, 30 Nov 2001, Roger Keays wrote:
> > Hi all, > > I'm not sure if this is common knowledge or not, but I have just noticed > the effects of having the first two letters of your password the same as > the first two in your login name... You can use any extension of your > password!! > > e.g., on my Woody box I added a user called 'ron' and his password was > 'roniosko'. He could login in with 'ronioskos', 'ronioskoasdfasd' and so > forth! > All the ones you tried are all over 8 letters, I bet? My guess is you're using DES. DES only allows up to 8 letter passwords. Check your /etc/pam.d, look at login and passwd in there If you add a md5 at the end of the line that handles passwords, this will enable md5, which allows longer passwords. This is backwards compatible in that your existing passwords will still work. Once you change it or add another user, it will use md5. If you look at /etc/shadow, you can see the difference. MD5 passwords start with a $1 in the password field. DES don't, and are slightly shorter hashes. Debian 2.1 didn't use MD5 passwords, and there's no way to automatically transfer forward to DES passwords. It's an option on 2.2 and above, to install MD5 passwords, you should. Hope this helps, Mike
