Passwords Not Need To Be Complete
It seems that when u login or switch users and are prompted for a password, one doesnt need to enter the full password. It seems that after 8 correct letters you dont have to enter anymore, or you can even enter any other letters after the first correct 8 and still log in. This seems like a very big security issue. Maybe this is addressed somewhere else, but I just discovered it. Anyone else know why this happens, or is experiencing it to?
-macrules101
-macrules101
Comments
This has been addressed in 10.3, but if you did an upgrade install it may need a fix
Originally posted by macrules101
This seems like a very big security issue.
Not at all, this a very unixoid glitch, that is due to the encryption algorithm used to securely store your password in the user database. Most UNIX operating systems that are 2 years old or more suffer the same limitation, because they all used the same encryption algorithm (called DES but i may be wrong on this one, I'm not an expert).
Anyway, this has been fixed in Panther and most recent versions of Linux, BSD etc...
This is not a big security issue at all since a good password (good = hard to crack) is not a very long password but a password that is not any close to something included in a crack database : "franklindelanoroosevelt" will be cracked in 10 minutes whereas "t&j3*1+L" will probably never be cracked at all...