[tac_plus] Issue: Incomplete passwords being accepted

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Mar 2 17:50:27 UTC 2015


To Alan's point, try your password in a better hasher, like this one I
threw up.  (Trivial python - available on request)

https://192.146.215.251/cgi-bin/gen_pass.cgi



On Sat, Feb 28, 2015 at 11:01 AM, Alan McKinnon <alan.mckinnon at gmail.com>
wrote:

> On Sat, 28 Feb 2015 08:29:42 -0800
> Matt Almgren <malmgren at skyfire.com> wrote:
>
> > I never noticed this before, but I see the same 8-character problem
> > with version F4.0.4.27a  and CentOS 6.4.
>
>
> You will see it on all versions of tac_plus on all distros. The
> password encryption is done in the crypt() system call which is where
> DES is implemented.
>
> It's not a bug it's a feature, it's just the way DES works. One more
> reason why you should not use DES for password hashing, superior types
> exist.
>
> Alan
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150302/1049d3bd/attachment.html>


More information about the tac_plus mailing list