[Pkg-shadow-devel] Bug#406046: Useradd: limits password to eight characters

Tina Isaksen tinaweb at bestemselv.com
Mon Jan 8 09:13:22 CET 2007

Package: passwd
Version: 1:
Severity: important

Wehen using useradd with an encrypted password the password is limited to eight caracters but this is not
mentioned anywhere.
Example: Cleartext password "testuserpass" makes encrypted password "33nGdctTISeok". The system then accept
"testuser" as password when loging in.
Since this is not mentioned anywhere it poses a security risk even if one uses complex password but the
'complexity' is after the first eight characters (which might be a word easily cracked)

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)

Versions of packages passwd depends on:
ii  debianutils                 2.17         Miscellaneous utilities specific t
ii  libc6                       2.3.6.ds1-8  GNU C Library: Shared libraries
ii  libpam-modules              0.79-4       Pluggable Authentication Modules f
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l
ii  libselinux1                 1.32-3       SELinux shared libraries
ii  login                       1: system login tools

passwd recommends no packages.

-- debconf information excluded

More information about the Pkg-shadow-devel mailing list