User-Agent: Opera/7.54 (X11; FreeBSD i386; U) [en] Build Identifier: Opera 7.54 When we have a password ended with some numbers (I've tried with 2 nubmers) we could login to an account with a password extended by some numbers. E.g. When we have a password like "Kkrowa12" then we could login with a password "Kkrowa123". I haven't tried all of combinations (Bugzilla 2.18 and 2.19+) - but above works. .. It seems like number of letters are important or two first have to be the same (capital and normal). On "krowa12" this didn't work out... but "Kkrowa12" were OK. Reproducible: Always Steps to Reproduce: 1. Create a password - 5 or 6 letters and 2 numbers. 2. Try to login with a that password extended by some number. Actual Results: Succesful login to an acount with bad (not accurate) password. Expected Results: "Bad password or username"... It works on Opera 7.54 on BSD and on Mozilla (Windows ?). Originally confirmed by Rafal Mileszczyk merlino [at] wp [dot] pl .
Did this work with passwords shorter than 8 characters? IIRC, Crypt only uses the first 8.
crypt is the password encryption function. It is based on the Data Encryption Standard algorithm with variations intended (among other things) to discourage use of hardware implementations of a key search. key is a userâs typed password. salt is a two-character string chosen from the set [aâzAâZ0â9./]. This string is used to perturb the algorithm in one of 4096 different ways. By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained. This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all zeros). The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose content is overwritten by each call.
Bug 211006 comment 1 actually mentions that because we use crypt(), only the first 8 chracters matter.
*** This bug has been marked as a duplicate of 211006 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
*** Bug 285907 has been marked as a duplicate of this bug. ***
Doh... that could be it :). That works only on 8 and more letters, but not with all cases - the password must end with two digits. I'm confused - really strange authentication mechanism these days... :/ Sorry about duplication - form posted twice ?
You need to log in before you can comment on or make changes to this bug.