Item10485: The 8 char password trunc behavior of the crypt encoding should be stated on the configure info texts

Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component: Configure, Documentation
Reported By: IvanSassi
Waiting For:
Last Change By: KennethLavrsen
The crypt encoding cut off the password to 8 character, so any character beyond the 8th is ignored (and, for all practical purposes, accepted by the login manager).

This per se is not a problem, but users and sys admins should be aware of this behavior for choose between that and better encoding methods (as MD5).

Actually this behavior is not stated neither on the configure info texts nor in the official documentation. Even worse the crypt encoding is suggested for the linux intallations: the configure info text state "crypt is the default, and should be used on Linux/Unix".

In my opinion we should explain the limitations of the crypt encoding (both in configure info text and in the documentation) and ask ourselves if we should change the default encoding method too.

-- IvanSassi - 14 Mar 2011

This is indeed an issue. Lots of users tend to update their password adding some bits to the end of their name ... and if their name is already longer than 8 chars their accounts are as well protected as having no password at all. Therefore I suggest to deprecate crypt and add a red warning if people still use it.

-- MichaelDaum - 14 Mar 2011

Agreed. Confirmed. As it is security related, raising to Urgent. A documentation fix should be put in place ASAP.

-- CrawfordCurrie - 15 Mar 2011

Adding documentation. Should we add a checker to warn if Crypt is used? Maybe warn if Crypt chosen and no .htpasswd file exists, otherwise insert a Note that it is not that secure?

What should we recommend, and should we change the default?

-- GeorgeClark - 16 Mar 2011

SHA1 seems like the logical default.

I would make the warning appear regardless of whether an existing .htpasswd is present: I'm sure many administrators would be glad to be made aware that they should migrate to a more secure passwd format.

I'm disappointed there's no SHA1 option for htdigest.. oh well.

-- PaulHarvey - 16 Mar 2011

I've committed changes to Foswiki.spec and added a checker to Note or Warn the issue. (Only warn if .htpasswd does not exist.) However I'm a bit concerned that our choices are a bit off.

htpasswd command supports 3 encodings
  • -m Use MD5 encryption
  • -d Use crypt() encryption
  • -s Use SHA encryption
It also supports plain text, but states that it is not supported by the httpd daemon.

The htdigest command is used to implement Digest authentication. However we describe: md5 htdigest formaT. So it appears that we don't support the htpasswd md5 encoding, and our md5 is really digest auth.

-- GeorgeClark - 17 Mar 2011

ItemTemplate edit

Summary The 8 char password trunc behavior of the crypt encoding should be stated on the configure info texts
ReportedBy IvanSassi
Codebase 1.1.2
SVN Range
AppliesTo Engine
Component Configure, Documentation
Priority Urgent
CurrentState Closed
Checkins distro:c19b40970c75 distro:dfb5758c5931 distro:e25dcfe0d2bb distro:e117b9ce34b8
TargetRelease patch
ReleasedIn 1.1.3
Topic revision: r11 - 16 Apr 2011, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy