On Tue, Jan 16, 2001 at 06:08:56AM +0000, Tim Hassan wrote:
> No matter how long you set the password to when adding a new user, only the
> first 8 characters of the password are used. So for example, if I do:
>
> ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423
>
> and then I try to login to my email as user "test" and password "this-is-",
> it would let me in.
This is standard Unix crypt behaviour. Unless you are using MD5
passwords on your system (or Blowfish, I believe, on OpenBSD), then
your system accounts will show the same behaviour.
Even an 8-character password, provided it is sufficiently complex, will
probably prove unreasonably difficult to break.
There is probably a way to force vpopmail to use MD5 if the system
supports it. Anyone know what is it?
Better still, do all your mail transfer over an encrypted SSH tunnel
(the fetchmail docs show you how to do it with fetchmail, it's very
simple). Unless you are using APOP (not well supported in vpopmail,
IIRC), your password is going over the network in clear-text anyway.
cheers,
damon
--
Damon Muller
http://killfilter.com
GPG Key: 0xA136E829
