[Dovecot] Weird Authentication behaviour
Reindl Harald
h.reindl at thelounge.net
Mon Mar 24 12:30:10 UTC 2014
Am 24.03.2014 12:47, schrieb Gedalya:
> On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote:
>> we use dovecot 2.0.9 and authentication against a mysql database. Everything
>> works fine, but we found some weird behavior – when the password is e.g.
>> “testpass” you also authenticate successfully with “testpass123” or
>> “testpassNOT”. Whatever comes after the correct password doesn’t matter, the
>> authentication is still successful.
> ..
>> default_pass_scheme = CRYPT
>>
> http://wiki2.dovecot.org/Authentication/PasswordSchemes --
>
> CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = vpvKh.SaNbR6s)
>
> Dovecot uses libc's crypt() function, which means that CRYPT is usually able to recognize MD5-CRYPT and possibly
> also other password schemes. See all of the *-CRYPT schemes at the top of this page.
>>>>>>>>
> *The traditional DES-crypt scheme only uses the first 8 characters of the password, the rest are ignored.* Other
> schemes may have other password length limitations (if they limit the password length at all)
my passwords have 19 chars and my linux login does not accept only
the first 8 ones, that's the state for many years now
frankly 8 chars is laughable, i recently wrote a PHP library to
generate secure random passwords and for 100000 passwords get
13 collisions is way to much given that that means you have
a collision every 8000 tries which means not you need 8000
in a real world attack
GENERATED: 100000
COLLISIONS: 13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140324/b1a28225/attachment.sig>
More information about the dovecot
mailing list