[tac_plus] Issue: Incomplete passwords being accepted

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Mar 2 18:05:16 UTC 2015 

Which Y I say: Trivial python - available on request

On Mon, Mar 2, 2015 at 11:01 AM, Krux <krux at thcnet.net> wrote:

> So, I'm sure you mean well, but it's a bad security practice to send your
> password to a third party so they can generate a hash for you.
> perl -e 's==UBER?=+y[:-o]}(;->\n{q-yp-y+k}?print:??;-p#)'
>
> On March 2, 2015 9:50:27 AM PST, Daniel Schmidt <daniel.schmidt at wyo.gov>
> wrote:
> >To Alan's point, try your password in a better hasher, like this one I
> >threw up.  (Trivial python - available on request)
> >
> >https://192.146.215.251/cgi-bin/gen_pass.cgi
> >
> >
> >
> >On Sat, Feb 28, 2015 at 11:01 AM, Alan McKinnon
> ><alan.mckinnon at gmail.com>
> >wrote:
> >
> >> On Sat, 28 Feb 2015 08:29:42 -0800
> >> Matt Almgren <malmgren at skyfire.com> wrote:
> >>
> >> > I never noticed this before, but I see the same 8-character problem
> >> > with version F4.0.4.27a  and CentOS 6.4.
> >>
> >>
> >> You will see it on all versions of tac_plus on all distros. The
> >> password encryption is done in the crypt() system call which is where
> >> DES is implemented.
> >>
> >> It's not a bug it's a feature, it's just the way DES works. One more
> >> reason why you should not use DES for password hashing, superior
> >types
> >> exist.
> >>
> >> Alan
> >> _______________________________________________
> >> tac_plus mailing list
> >> tac_plus at shrubbery.net
> >> http://www.shrubbery.net/mailman/listinfo/tac_plus
> >>
> >
> >
> >E-Mail to and from me, in connection with the transaction
> >of public business, is subject to the Wyoming Public Records
> >Act and may be disclosed to third parties.
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150302/1049d3bd/attachment.html
> >
> >_______________________________________________
> >tac_plus mailing list
> >tac_plus at shrubbery.net
> >http://www.shrubbery.net/mailman/listinfo/tac_plus
>
>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150302/dfa5e573/attachment.html>

More information about the tac_plus mailing list