Date: Tue, 27 Jun 2000 15:10:04 -0700 (PDT) From: David Nugent <davidn@austel.net> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/19548: DES in 3.5-RELEASE allows trailing characters Message-ID: <200006272210.PAA74011@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/19548; it has been noted by GNATS. From: David Nugent <davidn@austel.net> To: john@jfive.com Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: misc/19548: DES in 3.5-RELEASE allows trailing characters Date: Wed, 28 Jun 2000 07:10:33 +1000 john@jfive.com wrote: > I can login using any password, provided my real password is the first substring. > For example if my password was "plant", a password of "plant72495" will authenticate. I am unable to reproduce this behaviour on 3.4-STABLE, 3.5-STABLE or 4.0-STABLE. Are you sure you tried the exact example you've quoted? DES passwords do have a length limitation of 8 characters, which is a known weakness in DES per se on all compatible UNIX platforms. If the user's password is 8 characters or longer, then certainly anything appended to the password is silently ignored when computing the hash. Junk appended after shorter passwords will certainly be used in deriving the hash. This limitation of DES is documented, and is why md5 hashes are generally preferred (the limitation there is 128 characters I believe). -- || David Nugent || TS Manager, ISP Limited || \\ davidn@austel.net | davidn@blaze.net.au | davidn@freebsd.org // .\\ Ph: +61396422322 Fax: +61396422063 Cell: +61404867638 //. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200006272210.PAA74011>