Opened 15 years ago

Closed 8 years ago

#4812 closed bug (fixed)

Screen Saver 'Password lock' security weakness

Reported by: olaf Owned by: nobody
Priority: normal Milestone: R1
Component: System/POSIX Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

If you use the Password lock security feature, only the first 8 characters need to be guessed to unlock it. Any characters past the first 8 are ignored.

Example: your password is "1234567890" but it can be unlocked with "12345678" only.

This was tested in hrev33610.

Change History (4)

comment:1 by stimut, 15 years ago

This is due to the posix compliant implementation of crypt(3) in libroot which correctly truncates the password to 8 characters.

There is a libcrypt implementation in the sources which allows an arbitrary length password (as well as supporting better hash algorithms such as md5 and blowfish - we currently uses DES), but I don't know enough about the build system to know how to use it.

comment:2 by pulkomandy, 10 years ago

Component: Preferences/ScreenSaverSystem/POSIX
Owner: changed from axeld to nobody

Where in POSIX is it said that it should truncate to 8 characters? I can't see any such restriction in http://pubs.opengroup.org/onlinepubs/009695399/functions/crypt.html .

comment:3 by i80and, 8 years ago

This is corrected by my patch in #12365.

comment:4 by waddlesplash, 8 years ago

Resolution: fixed
Status: newclosed

...and that patch has now been applied.

Note: See TracTickets for help on using tickets.