Are passwords on modern Unix/Linux systems still limited to 8 characters?

Although the original DES-based algorithm only used the first 8 characters of the password, Linux, Solaris, and other newer systems now additionally support other password hash algorithms such as MD5 which do not have this limit. Sometimes it is necessary to continue using the old algorithm if your network contains older systems and if NIS is used. You can tell that the old DES-based algorithm is still being used if the system will log you in when you enter only the first 8 characters of your >8-character password.

Because it is a hash algorithm, MD5 does not have an intrinsic limit. However various interfaces do generally impose some limit of at least 72 characters.

Although originally the encrypted password was stored in a world-readable file (/etc/passwd), it is now usually stored in a separate shadow database (e.g. /etc/shadow) which is only readable by root. Therefore, the strength of the algorithm is no longer as important as it once was. However if MD5 is inadequate, Blowfish or SHA can be used instead on some systems. And Solaris supports pluggable password encryption modules, allowing you to use any crazy scheme. Of course if you are using LDAP or some other shared user database then you will need to select an algorithm that is supported on all of your systems.

In glibc2 (any modern Linux distribution) the password encryption function can use MD5/SHA-xxx (provoked by a magic salt prefix) which then treats as significant all the input characters (see man 3 crypt). For a simple test on your system, you could try something like:

#!/bin/perl -wmy $oldsalt = '@@';my $md5salt = '$1$@@$';print crypt("12345678",  $oldsalt) . "\n";print crypt("123456789", $oldsalt) . "\n";print crypt("12345678",  $md5salt) . "\n";print crypt("12345678extend-this-as-long-as-you-like-0", $md5salt) . "\n";print crypt("12345678extend-this-as-long-as-you-like-1", $md5salt) . "\n";

(which on my system gives)

@@nDzfhV1wWVg@@nDzfhV1wWVg$1$@@$PrkF53HP.ZP4NXNyBr/kF.$1$@@$4fnlt5pOxTblqQm3M1HK10$1$@@$D3J3hluAY8pf2.AssyXzn0

Other *ix variants support similar - e.g. crypt(3) since at least Solaris 10.However, it's a non-standard extension - POSIX does not define it.

Not for Linux. It's only 8 if you disable MD5 Hashing.

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-wstation-pass.html

You can administer policies enforcing longer and more complex passwords as well.

The full lengths are discussed here:

http://www.ratliff.net/blog/2007/09/20/password-length/