Two passwords work: how is this possible?

[solrac]

So I set my user account's password one day. Fine.

Then on another day, I decided to change it. But now the old password and the new password both work!!!!!!

Then I changed it to another password and it was the only one that worked, but I didn't want that password. That was just a test.

So I put it back to the password I changed it to the second time, and lo and behold, both passwords WORK!!!

Did I find some kind of 2 password combo that encrypts to the same hash in Mac OS X? Or WHAT?

 

[bobw]

How many characters in the password?

 

[toast]

Repair permissions -

 

[solrac]

of the two passwords that both work, one has 10 characters and the other has 16 characters.

They are both in this format:
{phrase}{number}

the first password is:
{8 character phrase}{2 digit number}

the second password is:
{same 8 character phrase}{8 digit number}

And what would permissions have to do with it??

 

[solrac]

oh, and I tried converting my two passwords to an md5 hash using PHP, and they did not match. So obviously Mac OS X is not encrypting the passwords with md5...

 

[hunt045]

I think I remember reading that the password parser only looks at the first 8 characters and then truncates the remaining characters. This would make sense in your case.

 

[lucite]

ditto as what hunt45 said - many unix systems parse only the first 8 chrs - so if the first 8 chrs are the same, both will work.

for example, this is often the case with unix web or mail servers - try it on your email account (or web account if you havae one)

 

[solrac]

yes, yes... i remember reading this a while ago...

but... isn't there a case in which it uses the entire password and does not truncate? Where is this?

 

[lucite]

i would think you'd have to reconfig. the settings file using the terminal... but i have no idea which file that would be.

 

[macavenger]

I believe that the keychain uses the entire password. I don't know if this is what you were thinking of though, or even for sure if I am remembering correctly

 

[solrac]

keychain does not. But something else is supposed to... anyone know?

 

[bobw]

8 characters, that's what the system will recognize, anything after 8 doesn't matter.

 

[ScottW]

What Bob said.

 

[lucite]

still, i don't think he's wrong in asking whether it's tweekable - this setting must be stored in a file somewhere.

i haven't gone through it for clues, but this apple web page has a good deal of info on keychains for developpers:

http://developer.apple.com/techpubs...anager/keychain_manager/function_group_7.html

 

[Darkshadow]

The keychains is a totally different password system than the login is, though. So reading that isn't going to help any.

And there's no configuration file for it, either. It's part of the kernel. If you want to change the characters, you'll have to get the Darwin source and change that, then compile it yourself.

Otherwise, it's eight characters and no more.

 

[lurk]

The 8 char password limit is so ingraned in unix that I am sure that lots of stuff would break if it was changed., if not internally at least externally when interfacing with various things over the net.

Now the keychain rocks it uses the full password and I believe AES to encrypt things. I keep all of my important stuff in there and have a different significantly stronger password on that than on my account. It just prompts you for another password when somehting needs to access the locked keychain.

Another cool feature is that you can have more than one keychain and I was plesently surprised when I was able to just copy an old on off of tape when my HD crashed. Now I use two and all is good

-Eric