It doesn't appear as though an exact match for a user's password is required. (ie. maybnsj or maybnsjgggg both work for a password which should have been maybnsjg). I haven't tested too many, but it seems that a lot of different passwords work. This is a potential security leak.. -Matt Gong
Status: NEW → RESOLVED
Last Resolved: 20 years ago
Resolution: --- → INVALID
I believe you are seeing the fact that only the first eight characters of the password are used. This is nothing new; Unix-based password schemes have had that problem for a very long time now. It's just the way the low-level password code works.
Oh, ok.. I wasn't aware of that.. thanks Terry!
Verified that Unix is insecure.
Status: RESOLVED → VERIFIED
QA Contact: matty
moving to Bugzilla product reassign to default owner/qa for INVALID/WONTFIX/WORKSFORME/DUPLICATE
Assignee: terry → justdave
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
*** Bug 316829 has been marked as a duplicate of this bug. ***
bug 211006 is tracking a fix for this (use md5 instead of crypt)
Severity: critical → trivial
You need to log in before you can comment on or make changes to this bug.