[Bug] I can login using multiple passwords [NOBUG]

SPF · Post by **SPF** » Tue Jan 13, 2004 5:30 pm

I have a password combined with numbers and letters. The last 2 characters of my password are numbers, and they can be used to make differend passwords.

Example ( this is not my password below ) :

eH5xU45

The differend passwords you can use to login would be :
1) eH5xU
2) eH5xU4
3) eH5xU45
but also :
4) eH5xU329847
5) eH5xU324237492387482374927349

and much and much more ....

I found the bug, when I forgot the last 2 numbers at the end of my password.

SPF

wahaha · Post by **wahaha** » Tue Jan 13, 2004 6:51 pm

Confirmed, although when I tested it myself, entering "12345678" (in the webinterface) worked for both "12345678aa" and "1234567890123456", so it "feels" like the password is truncated somewhere...

As this is an AniDB-bug, I moved it there

Post by **exp** » Tue Jan 13, 2004 7:02 pm

only the first 8 characters of a password are relevant.

SPF: is you example correct @ length?
if so that would be a real bug.

BYe!
EXP

SPF · Post by **SPF** » Tue Jan 13, 2004 7:15 pm

Yes, that is true, only the first 8 characters are checked during login.

SPF

wahaha · Post by **wahaha** » Tue Jan 13, 2004 7:27 pm

exp wrote:only the first 8 characters of a password are relevant.

Might be good to change the maximum password-length in the profile then - there's only an error-message for >16 characters

Post by **exp** » Tue Jan 13, 2004 7:41 pm

why?

i mean if some ppl can remember a certain, longer password better, why prevent them from using it?

BYe!
EXP

SPF · Post by **SPF** » Tue Jan 13, 2004 7:49 pm

I agree with exp, longer passwords are sometimes easier to remember, but the chance of making errors during typing those longer passwords will increase.

SPF

wahaha · Post by **wahaha** » Tue Jan 13, 2004 8:49 pm

It's not a bug, it's a feature... huh? ^^;

Since 8 characters should[tm] be safe enough for this purpose, I won't argue about this.

Post by **exp** » Tue Jan 13, 2004 8:57 pm

well,

i am using a good old [tm] DES crypt to store the passwords.
and it never supported more than 8 chars

BYe!
EXP

SPF · Post by **SPF** » Tue Jan 13, 2004 10:05 pm

What should we do about this "bug/feature" ?

1) limit the password editing boxes to 8 chars
2) write something near the editing boxes about the limits
3) leave it as it is (do nothing)
4) using an alternative crypt
5) vote about it

I don't know how many users have a password longer than 8 chars. And because it's all encrypted in the database (I assume), I think we cannot gain more information about it.

I also have a database with users. But I use md5 as crypt.

SPF

Post by **exp** » Wed Jan 14, 2004 12:01 am

well,

i don't see why this should be any problem.
i'd just ignore it.

BYe!
EXP