Fix password security in 10.3.x for upgraded accounts

Dec 07, '04 09:38:00AM

Contributed by: Angostura

I was not aware of this, but pre-10.3 versions of OS X silently ignored any characters beyond character eight in login passwords. That is, the passwords '12345678hello' and '12345678goodbye' were equivalent. The unwitting user could have ended up with a much less secure password than they thought they had.

OS X 10.3 fixed this, however, anyone who did an upgrade install (and possibly an archive and install) from an earlier version of OS X will find that pre-existing accounts retain the weakness -- passwords characters past the eighth position are ignored. It is possible to check the status of the password using NetInfo Manager (in Applications -> Utilities). Launch the application, click on Users, then click on your username. Users with old-style, weak passwords will have the property (in the lower portion of the window) authentication_authority set to ;Basic;. Strong full-length passwords will have the value ;ShadowHash; for this property.

To fix this, it is necessary to change each account's login password in the Accounts System Preferences pane. The new password can be the same as the old password, but the practical upshot is that now all the characters will count. I'm indebted to Michael Conniff and Rafe H. on the Apple discussion boards for helping me sort this out.

[robg adds: The eight-character-limit was discussed in this really old hint, and we've also covered techniques for creating strong passwords, as well as a way to test your passwords' strength using a built-in Apple utility.]

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20041206090221302