Red Hat Bugzilla – Bug 5410
Linux only checks the first 8 characters of password entered
Last modified: 2008-05-01 11:37:51 EDT
Linux doesn't seem to check the full password string entered
against that password database, or only stores the first 8
letters. If my password was joelwener1010, entering
joelwene, at a telnet, or e-mail password prompt would be
accepted, and I would be logged into the system. This can
be a security problem especially if the password is meant to
be long in the first place.
Standard unix behavior for crypt() password.
Turning on shadow & md5 passwords will solve this.