Authentication problem with postfix/dovecot/mysql install
I then installed roundcube, and when testing it out, I realized that I misspelled the last character of the password. To my surprise, I was logged in.
I decided to further test this problem and it seems that anything after the 8th character is being ignored.
I created an account using:
insert into users(email, password) values ('test@example.com', ENCRYPT('password123'));
and was able to log into the account using password: password
Then I created a second account, (I though that maybe the numbers were being ignored)
insert into users(email, password) values ('test@example.com', ENCRYPT('p1ssword123'));
I tried logging in with password => password and it didn't work.
But I was, again, able to login with the password => p1ssword and password => p1sswordFOO
Any help would be appreciated to fix this security issue
3 Replies
Man page
caker
Linode Staff
-Chris
@pclissold:
MySQL uses the underlying system crypt() function.
says only the first eight characters are used. No easy fix. Man page
You should read futher
NOTES
Glibc Notes
The glibc2 version of this function supports additional encryption
algorithms.
If salt is a character string starting with the characters "$id$" fol-
lowed by a string terminated by "$":
$id$salt$encrypted
....
ID | Method
---------------------------------------------------------
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
....
The characters in "salt" and "encrypted" are drawn from the set
[a-zA-Z0-9./]. In the MD5 and SHA implementations the entire key is
significant (instead of only the first 8 bytes in DES).
It's really only the default legacy crypt DES algorithm that's limited to 8 characters.