5410 – Linux only checks the first 8 characters of password entered

Bug 5410 - Linux only checks the first 8 characters of password entered

Summary: Linux only checks the first 8 characters of password entered

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	passwd
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	David Lawrence
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	1999-09-28 04:34 UTC by joel
Modified:	2008-05-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	1999-09-28 14:47:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description joel 1999-09-28 04:34:25 UTC

Linux doesn't seem to check the full password string entered
against that password database, or only stores the first 8
letters.  If my password was joelwener1010, entering
joelwene, at a telnet, or e-mail password prompt would be
accepted, and I would be logged into the system.  This can
be a security problem especially if the password is meant to
be long in the first place.

Joel Wener

Comment 1 Bill Nottingham 1999-09-28 14:47:59 UTC

Standard unix behavior for crypt() password.

Turning on shadow & md5 passwords will solve this.

Note You need to log in before you can comment on or make changes to this bug.