Re: passwords and crypt?

To: Roger Keays <rogerk@ieee.org>
Cc: debian-security@lists.debian.org
Subject: Re: passwords and crypt?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 29 Nov 2001 15:44:21 +0000
Message-id: <[🔎] 86g06xtwdm.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 3C06462A.1080705@ieee.org> (Roger Keays's message of "Fri, 30 Nov 2001 00:28:58 +1000")
References: <[🔎] 3C06462A.1080705@ieee.org>

Roger Keays <rogerk@ieee.org> writes:

> I'm not sure if this is common knowledge or not, but I have just noticed
> the effects of having the first two letters of your password the same as
> the first two in your login name... You can use any extension of your
> password!!

Wrong. You can guess the first two characters of the username if you use it
as a salt.

> e.g., on my Woody box I added a user called 'ron' and his password was
> 'roniosko'. He could login in with 'ronioskos', 'ronioskoasdfasd' and so
> forth!

That's a consequence of passwords being truncated at 8 chars before running
crypt() on them.

> Can anyone else reproduce this?

I'd be surprised if I couldn't!

~Tim
-- 
Can you tell me how to get,                 |piglet@stirfried.vegetable.org.uk
How to get to Sesame Street?                |http://spodzone.org.uk/

Reply to:

References:
- passwords and crypt?
  - From: Roger Keays <rogerk@ieee.org>

Prev by Date: Re: passwords and crypt?
Next by Date: Re: passwords and crypt?
Previous by thread: Re: passwords and crypt?
Next by thread: Re: passwords and crypt?
Index(es):
- Date
- Thread