It doesn't appear as though an exact match for a user's password is required. (ie. maybnsj or maybnsjgggg both work for a password which should have been maybnsjg). I haven't tested too many, but it seems that a lot of different passwords work. This is a potential security leak.. -Matt Gong
I believe you are seeing the fact that only the first eight characters of the password are used. This is nothing new; Unix-based password schemes have had that problem for a very long time now. It's just the way the low-level password code works.
Oh, ok.. I wasn't aware of that.. thanks Terry!
Verified that Unix is insecure.
moving to Bugzilla product reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE
*** Bug 316829 has been marked as a duplicate of this bug. ***
bug 211006 is tracking a fix for this (use md5 instead of crypt)