Open Source Security
Welcome at » Password length

Password length

Within the past several months, an amazing number of people have asked me about the maximum length of passwords and user names in Red Hat Enterprise Linux and SUSE Linux Enterprise Server. Every one of them says that they have searched for this data and are not able to find it. I’ve searched around too and find it in bits and pieces but not as a consolidated whole. It is funny though (as in things that make you go hmmm), that Solar Designer has written an updated man page for crypt which contains almost all of this data, which is included in the glibc source RPM for SLES but not installed.

On RHEL5, the maximum length of a user name is 31 characters.
On SLES10, the maximum length of a user name is 32.
(Odd results, but try it and you will see!)

Algorithm: crypt
Prefix: none
Maximum Cleartext Password Length: 8
Length of Salt: 2-char (12 bits)
Iterations: 25 (built-in)
Length of Hashed String: 11-char (64bit)
Maximum Length of Hashed Password (prefix + salt + $ + hashed_str): 13-char (0 + 2 + 0 + 11 = 13)

Algorithm: md5
Prefix: $1$
Maximum Cleartext Password Length:
RHEL5.1: 79 (5.1 limit imposed by passwd)
SLES10: 127 (limit imposed by passwd, blames crypt in comment)
Length of Salt: 8-char (48 bits)
Iterations: 1000 (built-in)
Length of Hashed String: 22-char (128bit)
Maximum Length of Hashed Password (prefix + salt + $ + hashed_str): 34-char ( $1$salt$hashed_str ) (3 + 8 + 1 + 22 = 34)

Algorithm: Blowfish (SUSE)
Prefix: $2a$
Maximum Cleartext Password Length: 72
Length of Salt: 22-char (128 bits)
Iterations: 16 (built-in)
Length of Hashed String: 31-char (184bit)
Maximum Length of Hashed Password (prefix + salt + $ + hashed_str): 60-char ($2a$nn$salthashed_str) (4 + 2 + 1 + 22 + 31)

Note that I am still working on experimenting with the formatting of this entry because I find the current presentation relatively unreadable. So this entry may change after it is published.

4 Responses

  1. Tim Pepper

    Thanks for summarising this Emily. What a large amount of variation…no wonder there’s confusion.

  2. Deejay

    There is a method for increase the maximun length of username (actualy is 31 Char in FC5)?

  3. […] looking at this blog post on Password Length, I figured the program would stop at 79 or 127 or something, but to my surprise it didn’t, it […]

  4. […] other than stock crypt for passwords and can go to much longer lengths. It is still somewhat distro-dependent […]