Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum
  Print view Previous topic | Next topic 
Author Message
alexbrand
PostPosted: Sat Dec 22, 2012 1:55 pm 
Offline
Newbie

Joined: Fri Dec 21, 2012 2:39 pm
Posts: 3
I installed postfix and dovecot on my ubuntu 12.04 following the guide at http://library.linode.com/email/postfix/dovecot-mysql-ubuntu-10.04-lucid

I then installed roundcube, and when testing it out, I realized that I misspelled the last character of the password. To my surprise, I was logged in.

I decided to further test this problem and it seems that anything after the 8th character is being ignored.

I created an account using:

Code:
insert into users(email, password) values ('test@example.com', ENCRYPT('password123'));


and was able to log into the account using password: password

Then I created a second account, (I though that maybe the numbers were being ignored)

Code:
insert into users(email, password) values ('test@example.com', ENCRYPT('p1ssword123'));


I tried logging in with password => password and it didn't work.

But I was, again, able to login with the password => p1ssword and password => p1sswordFOO

Any help would be appreciated to fix this security issue
Top
   
Reply with quote  
pclissold
PostPosted: Sun Dec 23, 2012 10:30 am 
Offline
Senior Member
User avatar

Joined: Fri Oct 24, 2003 3:51 pm
Posts: 965
Location: Netherlands
MySQL uses the underlying system crypt() function. Man page says only the first eight characters are used. No easy fix.

_________________
/ Peter
Top
   
Reply with quote  
caker
PostPosted: Sun Dec 23, 2012 10:41 am 
Offline
Linode Staff
User avatar

Joined: Tue Apr 15, 2003 6:24 pm
Posts: 3090
Website: http://www.linode.com/
Location: Galloway, NJ
ENCRYPT('cleartextpassword', '$5$random16charsalt'). $5$ would get you sha-256, for example.

-Chris
Top
   
Reply with quote  
sweh
PostPosted: Sun Dec 23, 2012 11:25 am 
Offline
Senior Member
User avatar

Joined: Tue Apr 13, 2004 6:54 pm
Posts: 833
pclissold wrote:
MySQL uses the underlying system crypt() function. Man page says only the first eight characters are used. No easy fix.

You should read futher

Code:
NOTES
   Glibc Notes
       The glibc2 version of  this  function  supports  additional  encryption
       algorithms.

       If  salt is a character string starting with the characters "$id$" fol-
       lowed by a string terminated by "$":

              $id$salt$encrypted
....
              ID  | Method
              ---------------------------------------------------------
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)
....
       The  characters  in  "salt"  and  "encrypted"  are  drawn  from the set
       [a-zA-Z0-9./].  In the MD5 and SHA implementations the  entire  key  is
       significant (instead of only the first 8 bytes in DES).


It's really only the default legacy crypt DES algorithm that's limited to 8 characters.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Email/SMTP Related Forum


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group