29

When I try to set root's password:

root@OpenWrt:~# passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.

It seems the maximum length is 8. If I try to set a password longer than 8, only the first 8 characters are valid. How can I set a longer password for root?

My OpenWrt version:

Linux OpenWrt 4.14.108 #0 SMP Wed Mar 27 21:59:03 2019 x86_64 GNU/Linux
Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Alan42
  • 561
  • 4
  • 14

2 Answers2

35

This is because DES-based crypt (AKA 'descrypt') truncates passwords at 8 bytes, and only checks the first 8 for the purpose of password verification.

That's the answer to your direct question, but here's some general advice implied by your context:

  • Fortunately, from my reading, MD5 in /etc/login.defs is actually md5crypt ($1$), which, while a little outdated and declared deprecated by its author, is still far superior to DES-based crypt (and definitely much better than a raw, unsalted hash like plain MD5! Most unsalted hashes can be cracked on commodity GPUs at rates of billions per second)

  • It looks like SHA256 (actually sha256crypt) and SHA512 (actually sha512crypt) are also there. I would pick one of those instead.

  • If you set your password to password or something under each scheme, you can visually verify whether or not my conclusion that they're the -crypt variants is correct (examples here are taken from the hashcat example hashes, all 'hashcat', some wrapped for readability):

Not recommended - unsalted or legacy hash types, much too "fast" (cracking rates) for password storage:

MD5         - 8743b52063cd84097a65d1633f5c74f5
SHA256      - 127e6fbfe24a750e72930c220a8e138275656b8e5d8f48a98c3c92df2caba935
SHA512      - 82a9dda829eb7f8ffe9fbe49e45d47d2dad9664fbb7adf72492e3c81ebd3e2 \
              9134d9bc12212bf83c6840f10e8246b9db54a4859b7ccd0123d86e5872c1e5082f
descrypt    - 48c/R8JAv757A

OK - much better than unsalted, no truncation, but no longer sufficiently resistant to brute force on modern hardware:

md5crypt    - $1$28772684$iEwNOgGugqO9.bIz5sk8k/

Better - relatively modern hashes with large salts and work factors:

sha256crypt - $5$rounds=5000$GX7BopJZJxPc/KEK$le16UF8I2Anb.rOrn22AUPWvzUETDGefUmAV8AZkGcD
sha512crypt - $6$52450745$k5ka2p8bFuSmoVT1tzOyyuaREkkKBcCNqoDKzYiJL9RaE8yMnPgh2XzzF0NDrUhgrcLwg78xs1w5pJiypEdFX/

Of these, only descrypt truncates at 8. The last two are your best bet.

(Side note: the digits-only salts in the md5crypt and sha512crypt examples above are just side effects of how hashcat creates example hashes; real, healthy salts are usually drawn from a much larger keyspace).

Note also that I'm only listing the hash types that are supported by /etc/login.defs on this platform. For general use, even sha256crypt and sha512crypt have been superseded - first by bcrypt, and then later by truly parallel-attack-resistant hashes like scrypt and the Argon2 family. (Note, however, that for interactive logins that should complete in under one second, bcrypt is actually more resistant to attack than the latter)

Royce Williams
  • 1,362
  • 8
  • 16
20

I modified this in /etc/login.defs:

PASS_MAX_LEN            8

problem fixed.


Important additions:

After I changed the above parameters, although I can set a password larger than 8 digits, it is still invalid because the real password is only the first eight digits. I don't know if this is my problem.

My final solution is to set

# ENCRYPT_METHOD DES

to

ENCRYPT_METHOD MD5

in /etc/login.defs.

Now, I can finally set a root password that is really larger than eight.

muru
  • 569
  • 7
  • 26
Alan42
  • 561
  • 4
  • 14
  • 16
    Good fix, but bad original choice for a system default though... – HBruijn Apr 09 '19 at 13:19
  • 8
    I assume you changed your password to something longer than 8 characters now. Can you try if logging in with just the first 8 characters of your longer password works? Because it just might... – marcelm Apr 09 '19 at 14:49
  • Thank you marcelm. You are right and I found another solution. – Alan42 Apr 09 '19 at 16:53
  • 9
    You might consider changing that to SHA256 or SHA512 or they are supported - MD5 is considered broken these days. – PhilippNagel Apr 09 '19 at 17:22
  • 8
    really sha256 and sha512 by themselves aren't much better than md5. you need a salt, and use the crypt versions of these algorithms. – SnakeDoc Apr 09 '19 at 17:51
  • 1
    From some quick googling I got the impression that openwrt uses musl, and that musl only supports descrypt, or uses it by default, or something. I'm not entirely sure, which is why I asked you to test the 8 chars thing. You could try the SHA512 or SHA256 options, and if one of them works, that's great. If not, at least MD5 is a lot better than DES. – marcelm Apr 09 '19 at 20:34
  • 4
    @PhilippNagel With a high-entropy password, it's not too bad. While MD5 should certainly be considered broken, the currently known weaknesses don't affect it for password hashing. What _is_ a problem for password hashing is the speed; non-iterated MD5 is so fast that brute-forcing is very feasible for many passwords. – marcelm Apr 09 '19 at 20:38
  • @SnakeDoc You don't just need a salt for better security, you also need iteration! Luckily, `crypt()` with SHA256/SHA512 does both. At least, it does on glibc. – marcelm Apr 09 '19 at 20:39
  • 1
    With recent advancements in GPU+cracking, even a totally random descrypt password can be exhausted quickly - in about a week on a 6x1080 system using hashcat. – Royce Williams Apr 09 '19 at 23:51
  • Has someone opened a bug / pull request against OpenWRT? – cat Apr 10 '19 at 22:45
  • If you need to defend against GPU cracking, you have to use `bcrypt`, `scrypt` or `blake2d` instead of plain hashes such as md5 or sha-family. I don't know if OpenWRT supports any safe variant. – Mikko Rantalainen Apr 11 '19 at 08:18