Bug in OS X Installer Authentication?

Posted:
in macOS edited January 2014
Hey everyone!



Try this (if you have a MacOS X password longer than 8 chars): Launch some installer that requires authenticating yourself, enter only the first 8 chars of your password and hit enter.



At least in 10.2.3, you will be authenticated although you didn't enter the full (i.e. correct) password! I checked it with the Dec2002SystemEvents Installer and with the Java 1.4.1 Package.



Is this a known bug or something? Anyone can tell?



Greetings!

danB

Comments

  • Reply 1 of 12
    Yes, it is known. Mac OS X has always only checked the first 8 characters. Is it serious? I don't know. Someone else here can answer that better then I can.
  • Reply 2 of 12
    Quote:

    Originally posted by Chealion

    Yes, it is known. (...) Is it serious?



    Well, since they haven't fixed it yet and with the fact in mind that OS X's been on the market for 2 and a half years now: Guess not
  • Reply 3 of 12
    torifiletorifile Posts: 4,024member
    Quote:

    Originally posted by Chealion

    Yes, it is known. Mac OS X has always only checked the first 8 characters. Is it serious? I don't know. Someone else here can answer that better then I can.



    I think it's serious only in so far as you can only have 8 characters in your password. OS X isn't as susceptible to buffer overruns as MS stuff, so the risk of the system reading in those extra characters and actually doing something with them is extremely low. So, no, it's not serious except that it's easier (relatively speaking) to guess someone's password.
  • Reply 4 of 12
    shetlineshetline Posts: 4,695member
    Quote:

    Originally posted by torifile

    So, no, it's not serious except that it's easier (relatively speaking) to guess someone's password.



    There's also the risk of thinking that you've changed a password, but not actually have done so, because you've changed only characters beyond the eight character, characters you never realized were being ignored.



    BTW, this issue isn't specific to installers. I believe it applies to any use of OS X system passwords in general. Maybe Panther supports longer passwords?
  • Reply 5 of 12
    torifiletorifile Posts: 4,024member
    Quote:

    Originally posted by shetline

    There's also the risk of thinking that you've changed a password, but not actually have done so, because you've changed only characters beyond the eight character, characters you never realized were being ignored.



    BTW, this issue isn't specific to installers. I believe it applies to any use of OS X system passwords in general. Maybe Panther supports longer passwords?




    Good point. I hadn't thought of that. And, you're right, it's your user password (which the Installers user for authentication).
  • Reply 6 of 12
    Quote:

    Originally posted by shetline

    Maybe Panther supports longer passwords?



    Interesting question... any ADC Member w/ Panther on his/her machine out there to check this?



    greetz

    durandal
  • Reply 7 of 12
    Quote:

    Originally posted by durandal

    Interesting question... any ADC Member w/ Panther on his/her machine out there to check this?



    greetz

    durandal




    As of 7B59 this bug has been fixed. I only checked the login password, not authentication for updates.



    Blueflame
  • Reply 8 of 12
    ast3r3xast3r3x Posts: 5,012member
    36 possible characters in any 8 digit combination.



    8^36



    1,073,741,824



    Easily hackable short answer no, long answer yes. Is anyone that knows how to do it going to be trying to get into your system...even less likely. People are WAY to security paranoid these days.



    Not saying any of you are, I mean people in general...PC's espeically...though they have reason to be
  • Reply 9 of 12
    foadfoad Posts: 697member
    From what I know, this isn't a OS X only thing. UNIX based OSes are like this. Linux also only recognizes the first 8 characters of passwords. Anything beyond that is doesn't matter as far as the OS is concerned. This is system-wide by the way. It is not only in installers. It affects anything that is related to your password.



    The thing is this though. If you properly mix numbers and characters in your password there is no need to worry. Having a 8 character limit is as big a issue as a unlimited one if your password is "irulestuff". At least that is my point of view. I handle most of the passwords at work and when i assign people passwords, they are like...why does have to be that complicated. I said because I don't feel like someone getting into our company business that easily so deal with it.



    Just mix it up a bit.
  • Reply 10 of 12
    Quote:

    Originally posted by ast3r3x

    36 possible characters in any 8 digit combination.



    Who says there are only 36 possible characters ? There should be 127 possible characters (I don't know how many are actually typeable). Mac OS X passwords also probably accept multi-byte characters, though, this being unix, passwords are probably limited to 8 bytes and not 8 characters.



    Actually, people not knowing how to type characters can be a real advantage! If you used Kanji you could write your password down wherever you wanted and it wouldn't mattaer because nobody would no how to type it! Fool-proof security !



    F*cking Jazz

    -Chris
  • Reply 11 of 12
    Quote:

    Originally posted by foad

    From what I know, this isn't a OS X only thing. UNIX based OSes are like this. Linux also only recognizes the first 8 characters of passwords. Anything beyond that is doesn't matter as far as the OS is concerned. This is system-wide by the way. It is not only in installers. It affects anything that is related to your password.



    The thing is this though. If you properly mix numbers and characters in your password there is no need to worry. Having a 8 character limit is as big a issue as a unlimited one if your password is "irulestuff". At least that is my point of view. I handle most of the passwords at work and when i assign people passwords, they are like...why does have to be that complicated. I said because I don't feel like someone getting into our company business that easily so deal with it.



    Just mix it up a bit.




    Yep that's all correct. All the passwords I use are 8 character random letter/number/case combinations typically changed every 6 months or so.
Sign In or Register to comment.