I can't see how that could possibly be construed as a security drawback. POP
is inherently insecure in the first place (sending clear text passwords
across the net) and password sniffing is much more of a problem (and the
easiest way to collect passwords) than people cracking passwords.
So, unless you're exclusively using a) POP3-SSL or POP over SSH to prevent
password sniffing, b) shadow passwords (who isn't?), c) MD5 (or blowfish)
passwords on your current system (to utilize more than 8 char passwords),
and d) forcing users to actually USE long passwords it's quite silly to say
that using DES is a security drawback to using vpopmail.
The risk of having a password cracked is minimal on a userless system.
Matt
> -----Original Message-----
> From: Tim Hassan [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 15, 2001 10:09 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: vchkpw lacking authentication security
>
>
>
> Dear Inter7 Developer:
>
> I recently discovered the following security drawback in
> vpopmail with vchkpw authentication:
>
> No matter how long you set the password to when adding a new
> user, only the
> first 8 characters of the password are used. So for example, if I do:
>
> ./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423
>
> and then I try to login to my email as user "test" and
> password "this-is-", it would let me in.
> As you may already know, any password below 8 characters is
> considered insecure, even if it was a combination of letters, numbers,
> and special characters. In other words, Standard DES crypto is used :(
>
>
> Best Regards,
> Tamer Hassan
