Password too long

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Password too long

Nadav Golombick
What is the correct procedure if I come to a situation where the
password length is too big for the given buffer.

--
Nadav Golombick
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Password too long

Joseph Oreste Bruni-2
The old unix crypt function would only use the first eight characters  
of any password.


On Oct 23, 2005, at 2:10 AM, Nadav Golombick wrote:

> What is the correct procedure if I come to a situation where the
> password length is too big for the given buffer.
>
> --
> Nadav Golombick
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Password too long

Bear Giles
In reply to this post by Nadav Golombick
I'm sure others will have a better answer, but I seem to recall
that there's a difference between passwords and passphrases.
Directly using a human readable password is bad since there's not
enough randomness to it and you're limited to 8 or 16 characters.

With a passphrase you can do things like using the hash of the
passphrase as the key, encrypting the passphrase with the first 8
or 16 characters of the passphrase as the key, etc.

I believe there's a FIPS standard for generating encryption keys
from a passphrase, using a technique similar to those mentioned
above.  If you're looking at a modern Unix crypt() analogue it's
just a hash with salt.  E.g., one possibility is H(passcode .
H(salt . passcode)), with the salt is encoded in the first few
characters of the stored password.

BTW don't forget that many (all?) robust systems will generate a
random encryption key for the body of the ciphertext.  This key is
the only thing encrypted with the key generated by the passphrase.

Nadav Golombick wrote:
> What is the correct procedure if I come to a situation where the
> password length is too big for the given buffer.
>
> --
> Nadav Golombick
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Password too long

Michael Sierchio
In reply to this post by Nadav Golombick
Nadav Golombick wrote:
> What is the correct procedure if I come to a situation where the
> password length is too big for the given buffer.

If this is a design question, then the proper thing to do IMHO
is akin to what's done for HMAC-MD5 or HMAC-SHA1 -- if the
passphrase exceeds the buffer length,  compute the SHA1
hash of the passphrase and use that as the passphrase.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]