Re: Long passwords (fwd)

Victor Muslin (vmuslin@prodigy.com)
Mon, 25 Mar 1996 16:26:19 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: MegaZone: "Re: Naming s0-s29 (fwd)"
Previous message: Richard Huveneers: "Re: Long passwords (fwd)"

XORing the same MD5 multiple times introduces a security
weakness. There are better schemes considered and discussed on the
ietf-radius mailing list. I am sure that Livingston is aware as one of
their people is chairing that WG.

On 25 Mar 1996, Richard Huveneers wrote:

> In article <199603250023.QAA28747@server.livingston.com>, megazone@livingston.COM (MegaZone) writes:
>
> >Once upon a time Richard Huveneers shaped the electrons to say...
> >
> >>We have problems using UNIX passwords longer than 16 characters. I examined
> >>the source of radiusd-1.16 and noticed that the passwords are truncated after
> >>16 characters, so I recoded the password decrypting according to the draft.
> >
> >PMs only handle passwords 16 characters long, you simply can't use a
> >longer password.
>
> Please consider this for a future revision of ComOS. The necessary changes
> to the radius daemon are very basic (just XOR-ing the md5 digest multiple
> times instead of once). I suspect the same to be true for ComOS.
>
> Am I begging the right person?
>
> We'd very much like to offer this service to our customers. All other services
> on our UNIX system requiring authentication, like login and ftp, support very
> long passwords.
>
> Thanks for your time,
>
> Richard Huveneers.
>
>
>

Next message: MegaZone: "Re: Naming s0-s29 (fwd)"
Previous message: Richard Huveneers: "Re: Long passwords (fwd)"