User Password Maximum Length/accepted characters?
-
What is the maximum password length for the default user account (admin/pfsense)? Specifically for 2.3.3 Release amd64.
I have selected a password of 256 characters and Im locked out, prolly due to a way too long and truncated password. -
We do not impose any limits on password length. The password is hashed with bcrypt, which has no length limits.
-
So in theory, a password of 256 characters should not encounter any technical problems?
-
We do not impose any limits on password length. The password is hashed with bcrypt, which has no length limits.
doesnt pfsense use normal freebsd users/passwords?
then it would be 128 @https://www.freebsd.org/cgi/man.cgi?query=passwd&sektion=1:The total length of the password must be less than _PASSWORD_LEN (currently 128 characters).
-
I wonder what are you trying to accomplish with such long passwords ::) A password that is 63 characters long and uses upper/lowercase letters and numbers has so much entropy that it's practically uncrackable within the time of this universe will last. Even half of that, 32 of such characters is still a major overkill.
-
We write a bcrypt hash to the user account directly. Generating a bcrypt hash is done in PHP and the result is store in config.xml and then synchronized from there to the user account. We do not use FreeBSD utilities to set the password. When we manipulate users, we use pw(8)
That said, I ran some tests and it looks like 72 characters is the effective limit. Beyond that, it ignores characters in the password input. So if you set a 256 char password and entered it exactly, it would work, though chars past 72 are ignored.
-
Reading some more, I had some conflicting info before. bcrypt actually does have a 72-character limit, so that effectively becomes our password length limit for local passwords. That wouldn't affect RADIUS/LDAP.
-
I know this is an old topic but its still relevant.
Just wanted to share...
I ran into an issue with PfSense user password with the iOS OpenVPN Client. I used a 50 character password with upper and lower case, numbers and symbols and could not auth with it. I changed the password 12 characters and was able to auth. The logs just showed auth failure with no detailed reason when I was using the longer passwords
-
@kpa said in User Password Maximum Length/accepted characters?:
I wonder what are you trying to accomplish with such long passwords ::)
Password length is irrelevant as the hash length should remain the same. In fact, there could be an infinite number of passwords that return the same hash. Your mission, should you decide to accept it, is to find all those passwords.
