Password Length
-
Andreas Flack
Password Length
Tue June 23 2009 16:55:07 UTCHi!
While debugging some login problems, I noticed that the person password
field has the dbtype "varchar(13) binary" in MgdObjects.xml. Considering
the two leading stars for unencrypted passwords, this just leaves 11
characters for the actual password. Is there any special reasons that
this is so short or could it be made longer? Also, why don't I get an
error message when I set a password that is longer than 11 characters?
F.x.
I enter "MySuperLongPassword2009"
this gets saved in the DB as
**MySuperLo
without any notice that it got changed. When I try to log in with the
full password, all I get is "Access denied"
Bye,
Andreas
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Tue June 23 2009 17:10:08 UTCOn Tue, Jun 23, 2009 at 8:45 PM, Andreas
Flack<flack@contentcontrol-berlin.de> wrote:
> Hi!
>
> While debugging some login problems, I noticed that the person password
> field has the dbtype "varchar(13) binary" in MgdObjects.xml. Considering
> the two leading stars for unencrypted passwords, this just leaves 11
> characters for the actual password. Is there any special reasons that
> this is so short or could it be made longer? Also, why don't I get an
> error message when I set a password that is longer than 11 characters?
>
> F.x.
>
> I enter "MySuperLongPassword2009"
>
> this gets saved in the DB as
>
> **MySuperLo
>
> without any notice that it got changed. When I try to log in with the
> full password, all I get is "Access denied"
using trunk (and sqlite) I get this instead: password varchar(255) DEFAULT ''
what version do you use? ragnaroek?
--
Alexey Zakhlestin
http://www.milkfarmsoft.com/
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Tue June 23 2009 17:35:05 UTCAlexey Zakhlestin schrieb:
> On Tue, Jun 23, 2009 at 8:45 PM, Andreas
> Flack<flack@contentcontrol-berlin.de> wrote:
>> Hi!
>>
>> While debugging some login problems, I noticed that the person password
>> field has the dbtype "varchar(13) binary" in MgdObjects.xml. Considering
>> the two leading stars for unencrypted passwords, this just leaves 11
>> characters for the actual password. Is there any special reasons that
>> this is so short or could it be made longer? Also, why don't I get an
>> error message when I set a password that is longer than 11 characters?
>>
>> F.x.
>>
>> I enter "MySuperLongPassword2009"
>>
>> this gets saved in the DB as
>>
>> **MySuperLo
>>
>> without any notice that it got changed. When I try to log in with the
>> full password, all I get is "Access denied"
>
> using trunk (and sqlite) I get this instead: password varchar(255) DEFAULT ''
>
> what version do you use? ragnaroek?
Yes, Ragnaroek. Curiously enough, the actual column in the db is
varchar(255) DEFAULT '' for me, too, but still every password I enter
gets cut off after 13 characters, my guess would be that this is because
of the mgdschema:
http://trac.midgard-project.org/browser/branches/ragnaroek/midgard/core/midgard/MgdObjects.xml
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Tue June 23 2009 18:40:05 UTCAndreas Flack writes:
Hi!
> Yes, Ragnaroek. Curiously enough, the actual column in the db is
> varchar(255) DEFAULT '' for me, too, but still every password I enter
> gets cut off after 13 characters, my guess would be that this is because
> of the mgdschema:
>
> http://trac.midgard-project.org/browser/branches/ragnaroek/midgard/core/midgard/MgdObjects.xml
No, this is encrypt issue. It doesn't accept longer passwords.
Piotras
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Tue June 23 2009 22:25:07 UTCPiotr Pokora schrieb:
> Andreas Flack writes:
>
> Hi!
>
>> Yes, Ragnaroek. Curiously enough, the actual column in the db is
>> varchar(255) DEFAULT '' for me, too, but still every password I enter
>> gets cut off after 13 characters, my guess would be that this is because
>> of the mgdschema:
>>
>> http://trac.midgard-project.org/browser/branches/ragnaroek/midgard/core/midgard/MgdObjects.xml
>
> No, this is encrypt issue. It doesn't accept longer passwords.
And could this cutting be limited to encrypted passwords only? Most
passwords are unencrypted in the db anyways, so if longer passwords
would be possible for them, this would already help
Also, could the cutting be handled more gracefully? F.x. the user isn't
notified when the password gets cut, and logging in with the longer
version of the password afterwards doesn't work, which effectively means
that all you achieve by setting a longer password is rendering your
account inaccessible.
Bye,
Andreas
>
> Piotras
> _______________________________________________
> dev mailing list
> dev@lists.midgard-project.org
> http://lists.midgard-project.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Wed June 24 2009 06:05:05 UTCAndreas Flack writes:
Hi!
>> No, this is encrypt issue. It doesn't accept longer passwords.
>
> And could this cutting be limited to encrypted passwords only? Most
> passwords are unencrypted in the db anyways, so if longer passwords
> would be possible for them, this would already help
>
> Also, could the cutting be handled more gracefully? F.x. the user isn't
> notified when the password gets cut, and logging in with the longer
> version of the password afterwards doesn't work, which effectively means
> that all you achieve by setting a longer password is rendering your
> account inaccessible.
Please, create ticket for this. I think I'll fix it for next release.
Piotras
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Wed June 24 2009 06:35:06 UTCHi.
This issue caused major pr-problems with Qaiku.
First of all there were problems related to the crypt function that
MySQL uses. It cause all passwords to be limited to 8 chars lenght.
We made our own fork of midgard for qaiku in order to gain more
security. We resolved this crypting issue by using SHA256 hashes.
Duge can give to more exact details. It works flawlessly with very
long passwords also.
Basically we would like to see that SHA is one of the supported
standard encryption methods in Midgard 2 series.
Piotras: Contact Duge if you want the SHA related code :)
- Tero
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
-
Re: [midgard-dev] Password Length
Wed June 24 2009 10:35:10 UTC-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Tero Heikkinen wrote:
>
> First of all there were problems related to the crypt function that
> MySQL uses. It cause all passwords to be limited to 8 chars lenght.
>
It's the classic unix crypt, know to be less-than-perfect for ages, but
backwards compatibility is a problem in 1.x generations.
For Midgard2, there's no need to support the old crypt at all since DB
compatibility is shot anyway (see below), if someone *really* needs to
get the old crypt password upgraded without user intervention they can
always crack them.
> We made our own fork of midgard for qaiku in order to gain more
> security. We resolved this crypting issue by using SHA256 hashes.
> Duge can give to more exact details. It works flawlessly with very
> long passwords also.
>
> Basically we would like to see that SHA is one of the supported
> standard encryption methods in Midgard 2 series.
>
I wonder how much trouble it would be to store the identifier of the
hash algo with the hash in db (if we stick to binary data in these
columns one byte will be more than enough), the default algo should be
specified in connection config and of course when storing password the
algo can be specified (using the byte identifier, there should be
constant strings like MGD_HASH_SHA256). The main point being here that
the hash identifier marks which "plugin" to use for checking and
generating the hashes, rest of the core should treat the plugins as
black boxes with specified API (for example we could have AES plugin
where the encryption key is in connection config and thus plaintext is
recoverable while the actual data in DB is under strong encryption).
This way for "plaintext" passwords we could use simple ceasar shift as
"hash" (for obfuscation).
/Rambo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKQf5qk2FlZlXdE74RA/SXAKCEwDjc8or/HpozZWhDMjXKGEKHjQCgnbVz
Als8mwr2rvztK8mU+0xzIRk=
=GpwB
-----END PGP SIGNATURE-----
_______________________________________________
dev mailing list
dev@lists.midgard-project.org
http://lists.midgard-project.org/mailman/listinfo/dev -
