On Mon, 11 May 1998, Mark A. Heilpern wrote:
->The standard *nix crypt() function only operates on the first 8 characters of
->your password; anything beyond that is noise and not looked at. (Tho, I have
->heard of at least one crypt() library function that was significant to 16
->characters.) Also, if I'm not mistaken, characters that have the high bit
->turned
->on (not normally typable without ALT-xxx sequences) will have the high bit
->stripped before encryption.
Which still doesn't matter, because crypt() returns a 13 character
long string. And MAX_PWD_LENGTH is used for the binary files, thus
stripping two characters off of the encrypted password. This is most
certainly a security flaw, but not--in all likelihood--a "risk."
Allow me to explain. There is a chance that two different strings,
encrypted using the same key, will differ _only_ by those last two
characters which are stripped off by Circle. However, the chances of
someone being able to exploit such a conflict--to the best of my
estimations--are extremely slim. In fact, the chances are so small
that they may as well be considered non-existent. I still, however,
suggest that it be fixed (and, according to George, it may be in 3.1).
Remember: Anything that can go wrong, will go wrong.
-dak : Can go wrong.
+------------------------------------------------------------+
| Ensure that you have read the CircleMUD Mailing List FAQ: |
| http://democracy.queensu.ca/~fletcher/Circle/list-faq.html |
+------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 12/15/00 PST