Bug in OS X Installer Authentication?
Hey everyone!
Try this (if you have a MacOS X password longer than 8 chars): Launch some installer that requires authenticating yourself, enter only the first 8 chars of your password and hit enter.
At least in 10.2.3, you will be authenticated although you didn't enter the full (i.e. correct) password! I checked it with the Dec2002SystemEvents Installer and with the Java 1.4.1 Package.
Is this a known bug or something? Anyone can tell?
Greetings!
danB
Try this (if you have a MacOS X password longer than 8 chars): Launch some installer that requires authenticating yourself, enter only the first 8 chars of your password and hit enter.
At least in 10.2.3, you will be authenticated although you didn't enter the full (i.e. correct) password! I checked it with the Dec2002SystemEvents Installer and with the Java 1.4.1 Package.
Is this a known bug or something? Anyone can tell?
Greetings!
danB
Comments
Originally posted by Chealion
Yes, it is known. (...) Is it serious?
Well, since they haven't fixed it yet and with the fact in mind that OS X's been on the market for 2 and a half years now: Guess not
Originally posted by Chealion
Yes, it is known. Mac OS X has always only checked the first 8 characters. Is it serious? I don't know. Someone else here can answer that better then I can.
I think it's serious only in so far as you can only have 8 characters in your password. OS X isn't as susceptible to buffer overruns as MS stuff, so the risk of the system reading in those extra characters and actually doing something with them is extremely low. So, no, it's not serious except that it's easier (relatively speaking) to guess someone's password.
Originally posted by torifile
So, no, it's not serious except that it's easier (relatively speaking) to guess someone's password.
There's also the risk of thinking that you've changed a password, but not actually have done so, because you've changed only characters beyond the eight character, characters you never realized were being ignored.
BTW, this issue isn't specific to installers. I believe it applies to any use of OS X system passwords in general. Maybe Panther supports longer passwords?
Originally posted by shetline
There's also the risk of thinking that you've changed a password, but not actually have done so, because you've changed only characters beyond the eight character, characters you never realized were being ignored.
BTW, this issue isn't specific to installers. I believe it applies to any use of OS X system passwords in general. Maybe Panther supports longer passwords?
Good point. I hadn't thought of that. And, you're right, it's your user password (which the Installers user for authentication).
Originally posted by shetline
Maybe Panther supports longer passwords?
Interesting question... any ADC Member w/ Panther on his/her machine out there to check this?
greetz
durandal
Originally posted by durandal
Interesting question... any ADC Member w/ Panther on his/her machine out there to check this?
greetz
durandal
As of 7B59 this bug has been fixed. I only checked the login password, not authentication for updates.
Blueflame
8^36
1,073,741,824
Easily hackable short answer no, long answer yes. Is anyone that knows how to do it going to be trying to get into your system...even less likely. People are WAY to security paranoid these days.
Not saying any of you are, I mean people in general...PC's espeically...though they have reason to be
The thing is this though. If you properly mix numbers and characters in your password there is no need to worry. Having a 8 character limit is as big a issue as a unlimited one if your password is "irulestuff". At least that is my point of view. I handle most of the passwords at work and when i assign people passwords, they are like...why does have to be that complicated. I said because I don't feel like someone getting into our company business that easily so deal with it.
Just mix it up a bit.
Originally posted by ast3r3x
36 possible characters in any 8 digit combination.
Who says there are only 36 possible characters
Actually, people not knowing how to type characters can be a real advantage! If you used Kanji you could write your password down wherever you wanted and it wouldn't mattaer because nobody would no how to type it! Fool-proof security
F*cking Jazz
-Chris
Originally posted by foad
From what I know, this isn't a OS X only thing. UNIX based OSes are like this. Linux also only recognizes the first 8 characters of passwords. Anything beyond that is doesn't matter as far as the OS is concerned. This is system-wide by the way. It is not only in installers. It affects anything that is related to your password.
The thing is this though. If you properly mix numbers and characters in your password there is no need to worry. Having a 8 character limit is as big a issue as a unlimited one if your password is "irulestuff". At least that is my point of view. I handle most of the passwords at work and when i assign people passwords, they are like...why does have to be that complicated. I said because I don't feel like someone getting into our company business that easily so deal with it.
Just mix it up a bit.
Yep that's all correct. All the passwords I use are 8 character random letter/number/case combinations typically changed every 6 months or so.