Am 24.03.2014 12:47, schrieb Gedalya:
On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
we use dovecot 2.0.9 and authentication against a mysql database. Everything works fine, but we found some weird behavior – when the password is e.g. “testpass” you also authenticate successfully with “testpass123” or “testpassNOT”. Whatever comes after the correct password doesn’t matter, the authentication is still successful. .. default_pass_scheme = CRYPT
http://wiki2.dovecot.org/Authentication/PasswordSchemes --
CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = vpvKh.SaNbR6s)
Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly also other password schemes. See all of the *-CRYPT schemes at the top of this page.
>> *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other schemes may have other password length limitations (if they limit the password length at all)
my passwords have 19 chars and my linux login does not accept only the first 8 ones, that's the state for many years now
frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 100000 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack
GENERATED: 100000 COLLISIONS: 13