[ic] security problem in Admin UI login?
Kevin Walsh
interchange-users@icdevgroup.org
Thu Aug 15 11:08:01 2002
> > >
> > > I have a password which includes letters AND numbers......
> > >
> > > If I type in the letters only and leave off the numbers .... I'm in.
> > >
> > > If I type in the whole thing..... I'm in.
> > >
> > > If I type in only *part* of the letters correctly (although it needs
> > > to be most of them).... I'm in.
> > >
> > Interchange uses crypt() which only uses the first eight characters
> > of your password. If, in your test, your numbers come after the
> > first eight characters then crypt() will not notice if you omit them.
> >
> > 7 bits * 8 characters = 56 bit key.
> >
> > For this reason, "password" (8 chars) is treated the same as
> > "password123" while "password" is not the same as "pass1234" or
> > "passwd12". If your password was "pass1234" then leaving off the
> > numbers would cause the password comparison to fail.
> >
> VERY informative, Kevin.... is this information posted anyplace?
> I do not remember seeing that in other words your password should
> be limited to 8 characters?!?
>
> thanks for the info.... I need to change some passwords!!!
>
The crypt() function is pretty standard in UNIX systems. If you're
using passwd/shadow files to store your UNIX accounts then you'll
find that your root password will also show the same symptoms, as
will the password used by all of your other accounts.
You don't have to reduce the length of your passwords. Just remember
that only the first eight characters are actually used.
To answer your question, the information is posted in the crypt(3)
manpage (man crypt). The relevant block of text reads:
By taking the lowest 7 bit of each character of the key, a 56-bit
key is obtained. This 56-bit key is used to encrypt repeatedly
a constant string
That's the UNIX way of saying that only the first eight characters
are used. :-)
You can still make up a difficult to guess (and remember) password
using only eight characters.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/