Am 24.03.2014 12:47, schrieb Gedalya: > On 03/24/2014 07:34 AM, Jürgen Ladstätter wrote: >> we use dovecot 2.0.9 and authentication against a mysql database. Everything >> works fine, but we found some weird behavior – when the password is e.g. >> “testpass” you also authenticate successfully with “testpass123” or >> “testpassNOT”. Whatever comes after the correct password doesn’t matter, the >> authentication is still successful. > .. >> default_pass_scheme = CRYPT >> > http://wiki2.dovecot.org/Authentication/PasswordSchemes -- > > CRYPT: Traditional DES-crypted password in /etc/passwd (e.g. "pass" = > vpvKh.SaNbR6s) > > Dovecot uses libc's crypt() function, which means that CRYPT is usually able > to recognize MD5-CRYPT and possibly > also other password schemes. See all of the *-CRYPT schemes at the top of > this page. >>>>>>>> > *The traditional DES-crypt scheme only uses the first 8 characters of the > password, the rest are ignored.* Other > schemes may have other password length limitations (if they limit the > password length at all)
my passwords have 19 chars and my linux login does not accept only the first 8 ones, that's the state for many years now frankly 8 chars is laughable, i recently wrote a PHP library to generate secure random passwords and for 100000 passwords get 13 collisions is way to much given that that means you have a collision every 8000 tries which means not you need 8000 in a real world attack GENERATED: 100000 COLLISIONS: 13
signature.asc
Description: OpenPGP digital signature