[tac_plus] Issue: Incomplete passwords being accepted
Alan McKinnon
alan.mckinnon at gmail.com
Sat Feb 28 18:01:23 UTC 2015
On Sat, 28 Feb 2015 08:29:42 -0800
Matt Almgren <malmgren at skyfire.com> wrote:
> I never noticed this before, but I see the same 8-character problem
> with version F4.0.4.27a and CentOS 6.4.
You will see it on all versions of tac_plus on all distros. The
password encryption is done in the crypt() system call which is where
DES is implemented.
It's not a bug it's a feature, it's just the way DES works. One more
reason why you should not use DES for password hashing, superior types
exist.
Alan
More information about the tac_plus
mailing list