

Security hole: only the first 8 characters in password matter - edw519
http://support.fogcreek.com/default.asp?fogbugz.4.6098.1

======
Tangurena
That's a 4 year old bug. Do you think it is fixed by now?

~~~
dodger
Been fixed for ages.

------
tlb
Accepting long passwords may mislead people to use passphrases, the first 8
characters of which are very vulnerable to a dictionary attack. If you're only
going to consider the first 8 characters, you should make it impossible to
type more than 8 characters on the entry form.

------
cperciva
Wow. I was including the original DES CRYPT function in my BSDCan talk as a
purely historical element... I guess I'll need to revise that slide now.

I don't think that RHM made mistakes often, but using only the first 8
characters of a password certainly qualifies.

~~~
hc
that would be RHM

~~~
cperciva
Oops. Corrected, thanks. I wrote "Robert Morris", then realized that was
ambiguous and added "(senior)", then I thought "wait, everybody just calls
Robert Morris 'rtm'"...

------
VBprogrammer
I'm not particularly familiar with this software but it appears to be some
kind of project management software. I think the odds of someone beating an 8
character well chosen password are less than the value of the data protected
by said password!

~~~
swombat
That's pretty irrelevant.

~~~
VBprogrammer
In what way is suggesting that the level of security used is probably more
than sufficient for the value of the data its meant to protect irrelevant?

~~~
swombat
It's irrelevant because offering people the option of entering longer
passwords and then discarding everything above 8 characters is stupid no
matter how secure it might be.

~~~
VBprogrammer
Ok, I agree with that. I'm sure it was a side effect of some library rather
than a deliberate choice though. Not to worry, as other commenters have
pointed out, this has been fixed for some time.

------
kogir
Don't know if it's still the case, but Charles Schwab had the same problem. It
really increased my confidence in the safety of their website.

------
ableal
Worked that way in many Unix systems - e.g. HP-UX as of ten years ago.

Doesn't seem to be that important - I'd worry more about a system that would
reply to 10k/s remote login requests ...

------
vaksel
thats just stupid

