What can a password contain - Programming On Unix

Users browsing this thread: 1 Guest(s)
Hello nixers,
Let me throw a brainstorming session on a question I've always wondered about.
Can a unix password contain special characters, especially spaces.
I know that this is feasible, as I've tested it on the command line. It can contain anything utf-8, even non-printable characters as long as it doesn't have the default erase or kill characters.

However, the next question is: Which utilities are going to break and which ones are going to still function properly.
Another question is, what happens when a password doesn't initially have an erase or kill character and the terminal settings are changed to make one of the character one of these. Will it then be impossible to type the password as it would erase or stop the readline? What about sending the password via other types of inputs than readline, does it still work?

Let's have a go at testing this, the downsides and upsides.
Some points:
  • Remote login will be harder. On SSH you can still pipe the password as pure bytes
  • Login on the TTY will be almost impossible if there's no appropriate input method
  • polkit gnome authentication agent doesn't support alt-gr input, and crashed. It doesn't also support tab or any other special character.
  • lxpolkit supports alt-gr but doesn't support tab as it triggers switching between input buttons
I use spaces often enough as passwords, for machines I really don't care, like VMs. Allows to ssh in without changing the config, since accounts without passwords are *not* reachable via ssh without a key.

As for Alt+GR key, "it works here™", with `loadkeys fr`. I can thus use characters like "~" or "#" which are on altgr+2 and altgr+3 on azerty keyboards.
No problem neither for "é" which is "2" on qwerty.
Long time nixers
As passwords should never be stored in plain text, it shouldn’t matter which characters the original string contains - it is discarded anyway.
It should definitely not matter which characters are in the string but you should be able to input them, which is the issue here.
Like in the past, the erase and kill characters where # and @ so you couldn't have them in a password as it would mess the readline.

This is specified in the passwd(1) manpage for example:

Quote: Care must be taken not to include the system default erase or kill characters.
passwd will reject any password which is not suitably complex.