Bug 18339
| Summary: | Password during Login | ||
|---|---|---|---|
| Product: | Base System | Reporter: | sherwin <sherwin> |
| Component: | i386 | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | 4.0-RELEASE | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
sherwin
2000-05-02 07:20:00 UTC
On Mon, May 01, 2000 at 11:11:46PM -0700, sherwin@newpagcor.com wrote: > > I found out that during login phase, FreeBSD does not check the > password if its longer than the stored password of the user against the > inputed one. This is a misstatement of the "problem". What is happening is that with the standard DES based UNIX password scheme, only the first 8 characters of the password are significant. What is happening is that there is no difference between "qwerty12" and "qwerty1234" because "qwerty1234" is truncated to "qwerty12". While this behavior may not be ideal in general, it is the correct behavior in that all UNIX and UNIX-like systems have the same behavior. Changing the password system to reject all passwords greater than 8 characters when using DES hashing would "fix" the problem, but would add no real security and would cause great confusion by changing years of standard behavior. I would recommend closing this PR. -- Brooks -- Any statement of the form "X is the one, true Y" is FALSE. State Changed From-To: open->closed Behaviour explained by Brooks; see the Handbook for more information. |
