[tac_plus] Issue: Incomplete passwords being accepted
Krux
krux at thcnet.net
Mon Mar 2 18:01:15 UTC 2015
So, I'm sure you mean well, but it's a bad security practice to send your password to a third party so they can generate a hash for you.
perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
On March 2, 2015 9:50:27 AM PST, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
>To Alan's point, try your password in a better hasher, like this one I
>threw up. (Trivial python - available on request)
>
>https://192.146.215.251/cgi-bin/gen_pass.cgi
>
>
>
>On Sat, Feb 28, 2015 at 11:01 AM, Alan McKinnon
><alan.mckinnon at gmail.com>
>wrote:
>
>> On Sat, 28 Feb 2015 08:29:42 -0800
>> Matt Almgren <malmgren at skyfire.com> wrote:
>>
>> > I never noticed this before, but I see the same 8-character problem
>> > with version F4.0.4.27a and CentOS 6.4.
>>
>>
>> You will see it on all versions of tac_plus on all distros. The
>> password encryption is done in the crypt() system call which is where
>> DES is implemented.
>>
>> It's not a bug it's a feature, it's just the way DES works. One more
>> reason why you should not use DES for password hashing, superior
>types
>> exist.
>>
>> Alan
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
>E-Mail to and from me, in connection with the transaction
>of public business, is subject to the Wyoming Public Records
>Act and may be disclosed to third parties.
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://www.shrubbery.net/pipermail/tac_plus/attachments/20150302/1049d3bd/attachment.html>
>_______________________________________________
>tac_plus mailing list
>tac_plus at shrubbery.net
>http://www.shrubbery.net/mailman/listinfo/tac_plus
More information about the tac_plus
mailing list