Security protects only up to 8 "crackers"
-
@WeatherGod said:
I don't see how that would work, either. The user said that when logging in, he could enter any password, so long as the first 8 characters were correct. Therefore, at the login step, the system is only hashing the first 8 characters (either by explicitly truncating the string, or by use of something like the crypt() function). That hash must match whatever hash was stored for the account creation.
Yes, but account creation is likely handled by another form, which may enforce the 8 character rule. For example, suppose the developer knew that crypt truncates at 8 characters. Their solution is to enforce a max of 8 characters at password creation (to avoid passwords like "password234$21.!" which become far less secure by truncating), but not worry about it at logins. After all, as discussed above, it's no less secure.
-
@bstorer said:
@WeatherGod said:
My bad, I got a little mixed up between what was stated in the OP and in some later posts. I see that it seems that they were enforcing the 8 character limit for the system during account creation.I don't see how that would work, either. The user said that when logging in, he could enter any password, so long as the first 8 characters were correct. Therefore, at the login step, the system is only hashing the first 8 characters (either by explicitly truncating the string, or by use of something like the crypt() function). That hash must match whatever hash was stored for the account creation.
Yes, but account creation is likely handled by another form, which may enforce the 8 character rule. For example, suppose the developer knew that crypt truncates at 8 characters. Their solution is to enforce a max of 8 characters at password creation (to avoid passwords like "password234$21.!" which become far less secure by truncating), but not worry about it at logins. After all, as discussed above, it's no less secure.
