Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: 100 character password

  1. #1
    Join Date
    Jul 2013
    Beans
    103

    100 character password

    Hi,

    This isn't a big deal as I did this in the first place to see what would happen. I will be re-reinstalling this particular server anyways. Using a single user and no root login I changed the password to a 100 character password through an ssh connection. The password change went through. But after exiting the session and trying to login again I can no longer login with either the new 100 character password or with the old password.

    Is this a bug or is there a password limit in Ubuntu?

  2. #2
    Join Date
    Jul 2013
    Beans
    103

    Re: 100 character password

    Ah forgot. Version 12.04.2 LTS

  3. #3
    Join Date
    May 2009
    Location
    Courtenay, BC, Canada
    Beans
    1,661

    Re: 100 character password

    better to disable password authentication and use keys
    https://help.ubuntu.com/community/SSH/OpenSSH/Keys
    you should be able to go to recovery mode and reset your password, or you may find some success using a livecd. as for a password limit, there shouldn't be one, as a salted hash of your password is used in lieu of your actual password.

  4. #4
    Join Date
    Sep 2007
    Location
    over there
    Beans
    2,516
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 100 character password

    I have often come across situations where a password has to be 64 characters or less. For some reason I have taken this onboard and generally assume the 64 character limit is something built into ssh/ssl/etc. That's just me though (and stuff I've read that made me think this). If I'm wrong, I shall crash, flaming, into the mountainside.
    "All people are scum. No matter what they look like." ~ Spider Jerusalem, Transmetropolitan #4
    blog photoblog


  5. #5
    Join Date
    Jul 2013
    Beans
    103

    Re: 100 character password

    Quote Originally Posted by HiImTye View Post
    better to disable password authentication and use keys
    https://help.ubuntu.com/community/SSH/OpenSSH/Keys
    you should be able to go to recovery mode and reset your password, or you may find some success using a livecd. as for a password limit, there shouldn't be one, as a salted hash of your password is used in lieu of your actual password.
    Thanks. I know I could reset with a CD, but this was more an experiment that I half way expected to break a server that needs to be-rebuilt anyways. In regards to your other point. I am not fan of keyfile authentication. As I understand the same keyfile must be shared across all users (some who may not be in the sudo group). I deem that a serious serious risk. Granted in my example there was one user though. And this is not even mentioning that keys sometimes end up being sent via insecure methods which is another security risk. I guess the same can be true of passwords, but keys seem to lend themselves to need to occasionally be sent via an insecure method such as email more often than even a complex random password.

  6. #6
    Join Date
    Jul 2013
    Beans
    103

    Re: 100 character password

    Quote Originally Posted by t0p View Post
    I have often come across situations where a password has to be 64 characters or less. For some reason I have taken this onboard and generally assume the 64 character limit is something built into ssh/ssl/etc. That's just me though (and stuff I've read that made me think this). If I'm wrong, I shall crash, flaming, into the mountainside.
    I think that you are right in theory. However 64 characters very well may not be the magic number for ssh at least...

    Anywho to sum up. I can confirm that I could not login to Ubuntu 12.04.2 LTS via SSH after changing to a 100 character password and rebooting. Maybe I will try again in the near future in a virtual machine to confirm my findings.

  7. #7
    prodigy_ is offline May the Ubuntu Be With You!
    Join Date
    Mar 2008
    Beans
    1,219

    Re: 100 character password

    Quote Originally Posted by schnappi2 View Post
    As I understand the same keyfile must be shared across all users
    Actually you can make your server accept as many public keys as you want. They don't have to be shared between users in any way and they can be further protected with passphrases. And even a shared key can be "revoked" (by removing it from authorized_keys files) at any time.
    Last edited by prodigy_; July 18th, 2013 at 06:41 AM.

  8. #8
    Join Date
    Dec 2009
    Location
    germany
    Beans
    1,020
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 100 character password

    Quote Originally Posted by schnappi2 View Post
    Hi,

    This isn't a big deal as I did this in the first place to see what would happen. I will be re-reinstalling this particular server anyways. Using a single user and no root login I changed the password to a 100 character password through an ssh connection. The password change went through. But after exiting the session and trying to login again I can no longer login with either the new 100 character password or with the old password.

    Is this a bug or is there a password limit in Ubuntu?
    hi
    this sounds for me: it's a bug in the sshd. is the deamon still running after exiting the login ?
    start your connection in debug-mode.
    by the side - sounds very strange. 100 char for an password - think nobody tried before.
    ciao
    "What is the robbing of a bank compared to the FOUNDING of a bank?" Berthold Brecht

  9. #9
    Join Date
    May 2009
    Location
    Fareham, UK
    Beans
    Hidden!
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: 100 character password

    Quote Originally Posted by schnappi2 View Post
    I am not fan of keyfile authentication. As I understand the same keyfile must be shared across all users (some who may not be in the sudo group). I deem that a serious serious risk.
    Password-less authentication is by far more secure than any password you can come up with, what could be more secure than only allowing pre-authorized computers to connect?
    Catch me on Freenode - imark

  10. #10
    Join Date
    Sep 2007
    Location
    over there
    Beans
    2,516
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: 100 character password

    Quote Originally Posted by CaptainMark View Post
    Password-less authentication is by far more secure than any password you can come up with, what could be more secure than only allowing pre-authorized computers to connect?
    Just to play devil's advocate: I know you have an account on a server; I steal your pre-authorized laptop and access your account on the server. If you were using password authentication (and followed strong password protocols) I would have to torture you or steal your brain to get into that account.

    Stupid scenario, I know. But devils' advocates dig stupid scenarios (otherwise they'd work for the Goddess, eh?)
    "All people are scum. No matter what they look like." ~ Spider Jerusalem, Transmetropolitan #4
    blog photoblog


Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •