Subject: Re: Insecure Password?
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: Feico Dillema <dillema@acm.org>
List: netbsd-help
Date: 07/10/1998 12:50:00
Your message dated: Thu, 09 Jul 1998 15:57:21 +0200
>Your message dated: Thu, 09 Jul 1998 09:45:36 -0400
>>only these two? And if you don't mind, you could always tell us
>>the two passwords and corresponding hashed output (after changing it
>>on your side, of course :-) ).
I've done some testing and tried to reproduce it and basically found out what
went wrong. It seems to boil down to what I would call a small user-interface
problem. I'll try to give an explanation below, which contains several
assumptions that may be wrong due to lack of knowledge on my part. I'd like
some comments on it from the more knowledgable around here to see if the
explanation is right.
I thought (!!!) the following password was set for this user account:
3241sd
However, I could login using passwords like:
3241tf
3241whatever
It didn't seem to matter what came after the first 4 digits at all, which
seemed rather strange.
My Explanation so far:
Assumption: Only 8 characters of a password are significant.
Little Fact: The digits in the password were typed on the numeric keypad
with numlock in the `wrong' position.
The `digits' on the numeric keypad produced escape/control codes, each of two
characters (I guess).
Another Little Fact: 2*4 = 8
Summary: While I thought I typed four digits, I produced 8 control characters
instead, leaving the rest of the password characters as insignificant.
Opinion: I think this should be regarded as a security bug, although minor.
The usefulness of allowing control characters seems rather limited to me,
as these are often difficult to reproduce on different
systems/keyboards/configurations. I think the `passwd' command should
therefore not allow the use of control characters in password and give an
error or at least a warning about it, as what the system actually does and
what the user thinks it does may be different. The other reason would be that
such a password is rather weak, it has about the strength of a four digit
password where an 8 digit is expected.
Feico Dillema.