Opened 15 years ago
Closed 8 years ago
#4812 closed bug (fixed)
Screen Saver 'Password lock' security weakness
Reported by: | olaf | Owned by: | nobody |
---|---|---|---|
Priority: | normal | Milestone: | R1 |
Component: | System/POSIX | Version: | R1/Development |
Keywords: | Cc: | ||
Blocked By: | Blocking: | ||
Platform: | All |
Description
If you use the Password lock security feature, only the first 8 characters need to be guessed to unlock it. Any characters past the first 8 are ignored.
Example: your password is "1234567890" but it can be unlocked with "12345678" only.
This was tested in hrev33610.
Change History (4)
comment:1 by , 15 years ago
comment:2 by , 10 years ago
Component: | Preferences/ScreenSaver → System/POSIX |
---|---|
Owner: | changed from | to
Where in POSIX is it said that it should truncate to 8 characters? I can't see any such restriction in http://pubs.opengroup.org/onlinepubs/009695399/functions/crypt.html .
comment:4 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
...and that patch has now been applied.
Note:
See TracTickets
for help on using tickets.
This is due to the posix compliant implementation of crypt(3) in libroot which correctly truncates the password to 8 characters.
There is a libcrypt implementation in the sources which allows an arbitrary length password (as well as supporting better hash algorithms such as md5 and blowfish - we currently uses DES), but I don't know enough about the build system to know how to use it.