Re: Name length password problem

From: Jason Fischer (jasonf@CONNECTEXPRESS.COM)
Date: 12/11/97

Next message: Drago's: "[CODE] Email"
Previous message: George: "Re: Get/Put spam killing?"
Maybe in reply to: Quinthius: "Name length password problem"
Next in thread: Jeremy Elson: "Re: Name length password problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Dec 1997, George wrote:

> On Thu, 11 Dec 1997, Quinthius wrote:
> >is:  anyony with a character name with greater than 5 letters, can login
> >NO MATTER WHAT PASSWORD they use. i made a character "Quinthius", and i
> [...]
> >could be? My system is: FreeBSD 2.2.5, 32M RAM this is circlemud30 beta pl
> >12 it seems that anyone with a name of over 5 chars (or 6, i forget
> >which), seem to have this problem.  -Quinthius
> This was discussed before and I believe it was a FreeBSD library bug.  Turn
> off MD5 (I think) and use the standard crypt.  If you want more details,
> try the mailing list archives.

I think I was the one that posted this problem way back.  Turning off MD5
wasn't really on option on the box I was on, so I just gritted my teeth,
and doubled MAX_PWD_LENGTH from 10 to 20, wiped the player file, and went
on.

I would recomend writing a small program that mimics how the CRYPT macro
works under circle.  This will give  you a much better idea of what
exactly is going on, and this is how I finally figured out what the hell
was going on.  As a small recap, with MD5 the encrypted password is of the
format (well technically, the salt, not username):

$1$<username up to 8 characters>$<encrypted password>

and DES is of the format:

<encrypted password>

So anyone with a short username would at least have part of the password
stored, however, with a long name none of the password would be stored,
and any password entered would work.

Example:

Username: Foo
Password: bar

$1$Foo$Jyy              (10 characters)
$1$Foo$Jyy/8Hj/1sABk    (20 characters)

Username: Foobarbaz
Password: piffle

$1$Foobarb              (10 characters)
$1$Foobarba$fs.Ey.HQ    (20 characters)

ObCircle:  Is there a way that the configure script can be modified to
test for the default method of encryption?  If it finds it's MD5 at least
warn the user that their password length is likely going to need to be
munged?

--
Jason Fischer             |  Any smoothly functioning technology is
jasonf@connectexpress.com |  indistinguishable from a rigged demo.
      "In the shadow of the light from a black sun" Type O-

     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
     +------------------------------------------------------------+

Next message: Drago's: "[CODE] Email"
Previous message: George: "Re: Get/Put spam killing?"
Maybe in reply to: Quinthius: "Name length password problem"
Next in thread: Jeremy Elson: "Re: Name length password problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 12/08/00 PST