Re: passwords and crypt?
Roger Keays <rogerk@ieee.org> writes:
> I'm not sure if this is common knowledge or not, but I have just noticed
> the effects of having the first two letters of your password the same as
> the first two in your login name... You can use any extension of your
> password!!
Wrong. You can guess the first two characters of the username if you use it
as a salt.
> e.g., on my Woody box I added a user called 'ron' and his password was
> 'roniosko'. He could login in with 'ronioskos', 'ronioskoasdfasd' and so
> forth!
That's a consequence of passwords being truncated at 8 chars before running
crypt() on them.
> Can anyone else reproduce this?
I'd be surprised if I couldn't!
~Tim
--
Can you tell me how to get, |piglet@stirfried.vegetable.org.uk
How to get to Sesame Street? |http://spodzone.org.uk/
Reply to: