[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: logins with extra charecters works!?!

On Mon, 10 Nov 1997, Brad Thompson wrote:

> > 
> > I installed Redhat 4.2, shadow-utils 960530, pam 0.57 and everything
> > "seemed" to work fine....until some students/users noticed that they could
> > login after entering their correct passwords "and then some more
> > charecters" (i.e. correct password is bill, billddddeff still works)!! 
> > 
> This is a longtime wart of a number of unices.  When you encrypt a
> password, only the first eight characters are significant.  This has
> not been fixed in the redhat passwd packages.
>                                                   --Brad

Well, what else would you do? Here's a scenario that actually happened to
some administrator friends of mine with their root password...

They didn't understand the 8 character limit of passwords, and so set ther
root password to be something more like 12 chacters.

Later, when they'd su, they'd type in all 12 characters. It would work.
Of course, if they got the last couple wrong, it would still work.
(Incidentally, they used the same password on another platform which _did_
support the longer version... I ended up being the one who got burned
since I only could ever remember the first 8 characters! ;-)

IMHO, this is the way it should be, to protect people who don't know about
password length limits... The alternative would have been for every su for
my friends to fail (or in the case of a user, they'd think they were
locked our of their account). I guess the other alternative would be for
the passwd program to screen for longer passwords and warn the user, but
that doesn't seam feasible with the various avenues thruogh which people
can change their passwords nowday. (Most end-users I know think you need
Eudora or some similar program that happens to have a password changer to
change your password. *sigh*)

Now, if you want to go back and suggest that the crypt be replaced with
something more attentive to characters beyond 8, I'd say that you should
move to MD5 shadow password files, which permit much longer passwords.

Note also that the original exapmle, I'm betting, isn't true -- if the
password is bill (ie 4 characters) and they type billybob, they won't get
logged in. It's only when the extra chacters appear after the first 8.

Jim Hebert

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []