Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

mac_in_tosh

macrumors 6502a
Original poster
Nov 6, 2016
591
6,335
Earth
When you change passwords using Disk Utility, there apparently are only so many characters allotted for the new password, but I kept typing and later confirmed that it did accept the longer password. All well and good but I'm just wondering, since these drives have important data, if there's any reason to have limited my new password to the number of characters allotted in the input space e.g. compatibility with future OS's etc. Is there any Apple documentation on how long the password can be? This Encrypt and protect a storage device only says to enter and verify a password.
 

barbu

macrumors 65816
Jul 8, 2013
1,262
1,052
wpg.mb.ca
It likely just truncated your input. So your password is only as long as the max allowed.
 

chown33

Moderator
Staff member
Aug 9, 2009
10,902
8,732
A sea of green
Just guessing, but maybe the length of the recovery password is maximum-length. So whatever that length is, try it.

This assumes that one actually recorded the recovery password when the volume was encrypted.

Of course, if the recovery password length is maximal, then any recovery password for any encrypted volume would be the same length. So one could encrypt any other drive, such as a simple USB thumb drive, or a handy SD card, and see how long its recovery password is.


Incidentally, there's no particular reason a password couldn't have indefinite length, with all characters significant. Passwords undergo several transformations to produce keys, and one of those transformations is usually a hash of some sort. The input of a hash is indefinite length, with the output always of a definite fixed length that depends on the hash. All characters fed into the hash are significant.

Here's some info on how FileVault operates on passwords and manages keys:
 

mac_in_tosh

macrumors 6502a
Original poster
Nov 6, 2016
591
6,335
Earth
It likely just truncated your input. So your password is only as long as the max allowed.

We tested this by trying to mount the drive using just what would have been the truncated password (based on the number of characters in the password input space) and it wouldn't mount. It only mounted by using the full password. I'm just wondering if there's any foreseeable issue with using more characters.
 

chabig

macrumors G4
Sep 6, 2002
11,380
9,091
I think the passkey can be as long as you want. I use 32 characters.
 

chown33

Moderator
Staff member
Aug 9, 2009
10,902
8,732
A sea of green
Sorry, but I'm not sure what you mean by this.
Suppose there's a maximum length. Also suppose that any characters entered beyond that are simply ignored. For illustration purposes, let's say that's 24 chars.

Now, when the system encrypts the drive, it tells you a recovery password, which you should keep in a safe place. A prudent security rule would be "The recovery password is as long as practical", simply to avoid dictionary or brute-force attacks. So the system would generate a random recovery password that was the maximum length, i.e. the aforementioned 24 chars.

So if there's a maximum password length at all, then one could reasonably expect the recovery password to be that length, because that would be the most prudent rule for recovery passwords.

Or put another way, if there's a max password length, and the recovery password generator produces random passwords shorter than that, then it's not using the full available password strength. No rational security developer would do that intentionally.

All of this presupposes there is a maximum length, beyond which additional password chars are ignored. But your own results in post #4 contradict that, or at least show that any maximum length is greater than the length of the password you used.


As to possible issues, the main one that comes to mind is the possibility of you forgetting it.

I suppose ease of access is another possible issue. As a trivial example, suppose your password was the first 10 paragraphs of "War and Peace", in Russian. That would take a long time to enter, and you'd need perfect accuracy, so it would limit the ease with which you could gain access.
 
  • Like
Reactions: Brian33
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.