One Hell Of A Bug In OS X 10.2...How Could They Miss This?
One Hell Of A Bug In OS X 10.2...How Could They Miss This?
Well you would think with all of the Security Updates that Apple has come out with they would have gotten this fixed a Long time ago......now I don't know what you would think of it but to me it's a Security Bug I don't like and find just wrong.
Log out of your Mac.....now in the login screen put in your password and the at the end of it type in ANYTHING and I mean anything and it will let you login as if your "password" is correct!? If your password is say....'thend' and at the end of that password you put in 'thendwhatever' it will work as a pass and let you login.....
Now this isn't right and it's a simple bug that has been around since 10.1 I have been told....why? Do you think this is a bug or part of the 150 "new" things of the OS? Com'on people....what if your friends try to crack your pass and all they have to do is get the first part right as the rest "doesn't matter' to the OS!?
Frank_t
PS. Don't get me wrong I?m not a OS 9 lover like some, if anything I want this OS to be the best it can be but when you got simple Security bugs like this in them you have to ask what apple is doing?
Well you would think with all of the Security Updates that Apple has come out with they would have gotten this fixed a Long time ago......now I don't know what you would think of it but to me it's a Security Bug I don't like and find just wrong.
Log out of your Mac.....now in the login screen put in your password and the at the end of it type in ANYTHING and I mean anything and it will let you login as if your "password" is correct!? If your password is say....'thend' and at the end of that password you put in 'thendwhatever' it will work as a pass and let you login.....
Now this isn't right and it's a simple bug that has been around since 10.1 I have been told....why? Do you think this is a bug or part of the 150 "new" things of the OS? Com'on people....what if your friends try to crack your pass and all they have to do is get the first part right as the rest "doesn't matter' to the OS!?
Frank_t
PS. Don't get me wrong I?m not a OS 9 lover like some, if anything I want this OS to be the best it can be but when you got simple Security bugs like this in them you have to ask what apple is doing?
Comments
two things. first, in this case the person has to know your entire password to begin with, in which case you're ****ed anyway.
second, i believe it's because OSX only counts the first 8 characters. try selecting a 7 character password then adding on to the end, see if it still works.
The user would have to know the first 8 characters of your password before being able to do anything.
[ 09-14-2002: Message edited by: Brad ]</p>
It's a bug....don't care how old it is...
Frank_t
It's not a bug, it's how Apple designed the password screen. It ingores everything after the 8th character. Try the test suggested: make a 7 letter password, then try to tack something on the end of it when logging in. It won't work....
Or, more precisely, a kludge because it wasn't written to not draw anything after the eighth character in the password box.
Frank, if it bothers you that much, go visit <a href="http://www.apple.com/macosx/feedback/" target="_blank">the Mac OS X feedback page</a>.
<strong>Or, more precisely, a kludge because it wasn't written to not draw anything after the eighth character in the password box.</strong><hr></blockquote>No, you obviously haven't tried this and don't know what's going on. Try it. Extra characters ARE displayed, but ignored.
If your password is "apollo13", then "apollo14" will not work, but "apollo1379" will, and "apollo13wasareallygoodmovie" will too.
If your password is "thefrencharestrangepeople", then "thefrenc" will also work - as well was "thefrenciaouasdjoiasdjoi".
Only the first 8 characters (whether it be letters, numbers, or whatever) count.
You can consider it a security issue, and you can report it to Apple, but they can't do anything about it except to change the encryption mechanism, and they sure won't do that.
8 characters is *definitly* enough to encrypt something enough. Unless you use "English1" as a password. Use something like "hUj3aKo7", and nobody will be able to guess it (and "bruteforcing" will take ages).
<strong>No, you obviously haven't tried this and don't know what's going on. Try it. Extra characters ARE displayed, but ignored.</strong><hr></blockquote>
I think that's what he said:
Or, more precisely, a kludge because it wasn't written to not draw anything after the eighth character in the password box.
Double negatives, don't you just love them.
[ 09-16-2002: Message edited by: RodUK ]</p>
Not a bug, but can be perceived as a bug. Depends on which side of the fence you stand.
Password is a password.....nothing more or less.....but this just makes the word "Security" in os x look like a joke at such a basic level.
Frank_t
<strong>I'm on the "i want my Mac to be on the Security fence side". I see this has been around for a long time....SO WHY NOT get it out of the way and fix it allready!?
Password is a password.....nothing more or less.....but this just makes the word "Security" in os x look like a joke at such a basic level.
Frank_t</strong><hr></blockquote>
You haven't understood what security is about at all. The fact that the encryption module used for authentication by LOTS of operating systems is limited to 8 characters is no security risk. It has just been designed like that. One could change the encryption mechanism to work with 12 characters, with 32, or with an unlimited amount of them, but - <img src="graemlins/oyvey.gif" border="0" alt="[No]" /> - that would make things much slower and it would be really pointless.
I've already pointed out how passwords wit 8 characters are secure enough for any use. If you're über-intelligent enough to figure out a password with 8 characters, I hereby invite you to try and log in to one of the "interesting" servers, such as those of the military, the government, the secret service, big companies, ... I can assure you that you'll get root access at a large percentage of them.
And once again: This is NOT an issue with Apple. NOT an issue with an Apple product. This is an issue with - guessed - 80 PERCENT of all UNIX-based operating systems out there.
About 100 typable characters in 8 positions.
100^8 = 10E15 or 10 petapasswords
A 1 GHz processor would take about 116 days to guess the password.
If thats isn't good enough for you...
then turn on group level passwords and have 8 more characters to work through.
Which by the way could take as little as 232 days if the first password is actually verified before asking the second. Or approximately 3E15 years(Longer than earth has existed) for that 1 GHz processor to guess the password if verified together. :eek: <img src="graemlins/surprised.gif" border="0" alt="[Surprised]" />
[ 09-16-2002: Message edited by: MrBillData ]</p>
<strong>Double negatives, don't you just love them.
</strong><hr></blockquote>
Thanks Rod, I only just saw Brad's post.
Edit: On reflection, I probably could have used a less convoluted form, but I said exactly what I meant, and it's factually and grammatically correct.
[ 09-17-2002: Message edited by: Overhope ]</p>
It IS Apple's problem.
It IS ok that the password system only uses 8 characters.
It IS NOT ok that Apple let the user enter more than 8 characters in the password fields.
It is not a big bug. But it is one of those little things, that grates on the user experience. It is things like this that drag good interfaces into the muck of KDE and GNOME.
So, what did I say, the bug is not in the sercurity ( so give it up ), it is in the user interface ( just accept it ).
:cool: