Logins and passwords

[Eric F]

I updated my password yesterday. When I got here later, I was logged out (due to inactivity), and when I tried to log in… Username or password was wrong.

Tried a couple of times and then I reset it. I chose a new password, a bit shorter (< 64), and now it seems fine. I tested to log out manually, and then back in.

So, what are the passwords restrictions? in length, that is. Would be great to know so I can maximize it.

I use KeepassX and just click “Generate” to get a long (128) random password I don't need to remember. Looks like 128 was too long, for some reason. If you could fix that would be great.

Anyway... That's a “bug” to me. The form in the profile prefs to change password accepted the long password, and let me surf on. No warnings, no errors - like everything was ok. It should at least say something that my password was too long or something.

· Eric

[dswaner]

If you could fix that would be great.

You need to file a bug report or RFE (request for enhancement) at https://bugzilla.redhat.com/index.cgi. The developers generally don't read this forum.

I've experienced the same thing with on-line accounts - you enter the password, and it appears to work, but then it doesn't work when you try to login again - either because the password was too long, or it contained illegal characters - but no warning is issued. I saw some NIST document that recommended that passwords be kept shorter than (several?) MEGABYTES - because it would take a long time to hash down (to 128 bits?) !

[antikythera]

You need to file a bug report or RFE (request for enhancement) at https://bugzilla.redhat.com/index.cgi. The developers generally don't read this forum.

I've experienced the same thing with on-line accounts - you enter the password, and it appears to work, but then it doesn't work when you try to login again - either because the password was too long, or it contained illegal characters - but no warning is issued. I saw some NIST document that recommended that passwords be kept shorter than (several?) MEGABYTES - because it would take a long time to hash down (to 128 bits?) !

Please do not file anything to do with this forum on redhat bugzilla. they will just close it straight away as this user forum is nothing to do with developers over there

@dswaner the post is forum feedback, nothing to do with the operating system itself

[lsatenstein]

The password you enter is hashed and "salted". That means that your very long password or a very short password is hashed into a hexadecimal string of characters. The salt string is applied to your password as the hash is calculated. Two people with the same password will have different values stored due to "salt and hash" combination.
A fixed size area is used to store the hashed and "salted" password.

Linux may impose a Max length for a "in the clear" password string. There is no assurance that a very long password is more secure than one of 7 or eight characters. A long string is certainly harder to remember, if using a long "in the clear password" makes you feel better.