Hello,
The main reason for that limit is because of the limited space available in mysql to store it, back when DA was written (4.x):
Code:
mysql> describe mysql.user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | varchar(60) binary | | PRI | | |
| User | varchar(16) binary | | PRI | | |
| password | varchar(16) | | | | |
...
That has since changed with MySQL 5.x
Code:
mysql> describe mysql.user;
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------------------------+------+-----+---------+-------+
| Host | char(60) | NO | PRI | | |
| User | char(16) | NO | PRI | | |
| Password | char(41) | NO | | | |
...
In any case, I've upped it to 64 (same as limits for other areas). Reason being, I just noticed that password that are extremely long, it didn't matter.. the crypt kept on changing the result if you add/remove characters. This means that "in theory", there doesn't need to be a limit. The crypt created will still be more or less unique to that password, similar to how the md5sum hash works. I would say the probable uniqueness would be somewhere around 41 characters... as it would be impossible to have as many unique combinations in 41 characters if passwords are 100 characters long.. there would need to be duplicates eventually. But if you change the 99th character the entire 41 character crypt changes, so unless you type in all 100 characters correctly, you won't get the correct 41 character crypt. (there could be debate as to the chances of 2 crypts matching with different passwords, but the odds would be low, similar to md5sums)
Anyway, thanks for the report, the "Change passwords" page will now allow up to 64, like the other areas.
Also note, that the create database and create database user pages use the system password limit, which is already set to 64. This means that Passwords set by Users never had the 16 character limit. Any length issues are given to mysql, but it seems (as mentioned above) that they've already taken into consideration the issue of long passwords in small spaces.
On a side note, as for your link to password breaking, I would agree that the computing power is there to try all combinations in a shorter time than before, however you must have the crypt on the system that is doing the cracking in order for that to work (which is why /etc/shadow is not world readable, so they don't leave the box). If you're pounding away to a remote box trying all combinations through that services connection, that box won't be able to keep up with the pace of the cracking box, and the admin will likely notice eventually, on top of the fact that many services noticing themselves these days. All that aside, there still isn't much debate: A longer password will be more secure.
John
