Item10485: The 8 char password trunc behavior of the crypt encoding should be stated on the configure info texts
Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Engine
Component: Configure, Documentation
Branches:
The crypt encoding cut off the password to 8 character, so any character beyond the 8th is ignored (and, for all practical purposes, accepted by the login manager).
This per se is not a problem, but users and sys admins should be aware of this behavior for choose between that and better encoding methods (as MD5).
Actually this behavior is not stated neither on the configure info texts nor in the official documentation. Even worse the crypt encoding is suggested for the linux intallations: the configure info text state "crypt is the default, and should be used on Linux/Unix".
In my opinion we should explain the limitations of the crypt encoding (both in configure info text and in the documentation) and ask ourselves if we should change the default encoding method too.
--
IvanSassi - 14 Mar 2011
This is indeed an issue. Lots of users tend to update their password adding some bits to the end of their name ... and if their name is already longer than 8 chars their accounts are as well protected as having no password at all. Therefore I suggest to deprecate crypt and add a red warning if people still use it.
--
MichaelDaum - 14 Mar 2011
Agreed. Confirmed. As it is security related, raising to Urgent. A documentation fix should be put in place ASAP.
--
CrawfordCurrie - 15 Mar 2011
Adding documentation. Should we add a checker to warn if Crypt is used? Maybe warn if Crypt chosen and no .htpasswd file exists, otherwise insert a Note that it is not that secure?
What should we recommend, and should we change the default?
--
GeorgeClark - 16 Mar 2011
SHA1 seems like the logical default.
I would make the warning appear regardless of whether an existing .htpasswd is present: I'm sure many administrators would be glad to be made aware that they should migrate to a more secure passwd format.
I'm disappointed there's no SHA1 option for htdigest.. oh well.
--
PaulHarvey - 16 Mar 2011
I've committed changes to Foswiki.spec and added a checker to Note or Warn the issue. (Only warn if
.htpasswd
does not exist.) However I'm a bit concerned that our choices are a bit off.
htpasswd
command supports 3 encodings
- -m Use MD5 encryption
- -d Use crypt() encryption
- -s Use SHA encryption
It also supports plain text, but states that it is not supported by the httpd daemon.
The
htdigest
command is used to implement Digest authentication. However we describe:
md5 htdigest formaT. So it appears that we don't support the htpasswd md5 encoding, and our md5 is really digest auth.
--
GeorgeClark - 17 Mar 2011