From owner-freebsd-bugs Tue Jun 27 15:10:11 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 81E4637B524 for ; Tue, 27 Jun 2000 15:10:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id PAA74011; Tue, 27 Jun 2000 15:10:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Tue, 27 Jun 2000 15:10:04 -0700 (PDT) Message-Id: <200006272210.PAA74011@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: David Nugent Subject: Re: misc/19548: DES in 3.5-RELEASE allows trailing characters Reply-To: David Nugent Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR misc/19548; it has been noted by GNATS. From: David Nugent To: john@jfive.com Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: misc/19548: DES in 3.5-RELEASE allows trailing characters Date: Wed, 28 Jun 2000 07:10:33 +1000 john@jfive.com wrote: > I can login using any password, provided my real password is the first substring. > For example if my password was "plant", a password of "plant72495" will authenticate. I am unable to reproduce this behaviour on 3.4-STABLE, 3.5-STABLE or 4.0-STABLE. Are you sure you tried the exact example you've quoted? DES passwords do have a length limitation of 8 characters, which is a known weakness in DES per se on all compatible UNIX platforms. If the user's password is 8 characters or longer, then certainly anything appended to the password is silently ignored when computing the hash. Junk appended after shorter passwords will certainly be used in deriving the hash. This limitation of DES is documented, and is why md5 hashes are generally preferred (the limitation there is 128 characters I believe). -- || David Nugent || TS Manager, ISP Limited || \\ davidn@austel.net | davidn@blaze.net.au | davidn@freebsd.org // .\\ Ph: +61396422322 Fax: +61396422063 Cell: +61404867638 //. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message