[ic] security problem in Admin UI login?
Aaron Hazelton
interchange-users@icdevgroup.org
Thu Aug 15 09:50:01 2002
Kevin Walsh wrote:
>
> >
> > I just discovered something when I *mis*-typed my password
> > to get into an Admin for an IC site.....
> >
> > I have a password which includes letters AND numbers......
> >
> > If I type in the letters only and leave off the numbers .... I'm in.
> >
> > If I type in the whole thing..... I'm in.
> >
> > If I type in only *part* of the letters correctly (although it needs
> > to be most of them).... I'm in.
> >
> > Can anyone else confirm this?
> > RH Linux 7.2
> > IC 4.8.3
> >
> > I confirmed that all cookies/cache was deleted and a new
> > browser window open and all of the above worked in IE 6
> > as well as in Opera.
> >
> > This could be a serious thing....
> >
> Interchange uses crypt() which only uses the first eight characters
> of your password. If, in your test, your numbers come after the
> first eight characters then crypt() will not notice if you omit them.
>
> 7 bits * 8 characters = 56 bit key.
>
> For this reason, "password" (8 chars) is treated the same as
> "password123" while "password" is not the same as "pass1234" or
> "passwd12". If your password was "pass1234" then leaving off the
> numbers would cause the password comparison to fail.
>
VERY informative, Kevin.... is this information posted anyplace?
I do not remember seeing that in other words your password should
be limited to 8 characters?!?
thanks for the info.... I need to change some passwords!!!
> --
> _/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
> _/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n
> W a l s h
> _/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
> _/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
>
_____
Sincerely,
Aaron Hazelton
>>Hazenet<<
aaron@hazenet.net