misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login

[Ceri Davies]

The following reply was made to PR misc/69596; it has been noted by GNATS.

From: Ceri Davies <ceri at submonkey.net>
To: Timothy Radigan <tradigan at newrevolutions.net>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: misc/69596: When logging in or su'ing to root, I noticed that if you type the correct password but add characters to the end of the correct password, the password still passes validation and allows you to login
Date: Mon, 26 Jul 2004 13:14:55 +0100

 On Sun, Jul 25, 2004 at 11:01:06PM +0000, Timothy Radigan wrote:
 
 > Log in using an account, type the correct password and a few extra
 > characters after the correct password and try to log in.  You will
 > be validated and access is granted.
 
 At a guess, I'd say that you are using DES encrypted passwords, and your
 password (after appending the extra characters) is more than 8 characters
 long.  This is a common limitation with DES.
 
 Ceri
 -- 
 It is not tinfoil, it is my new skin.  I am a robot.