[lug] Interesting .htpasswd "feature"

[rm at fabula.de]

On Thu, Oct 11, 2001 at 01:20:38PM -0600, Scott A. Herod wrote:
> Is it just using the first 8 characters?  I think even telnet only uses
> 8 so for example, I can mistype the last two characters of my 10
> character
> password and still log in.

This is neither telnet nor apache but a 'feature' of Unix' crypt(3)
function (exported by libcrypt). This library will take a password 
and an encryption 'salt' and return a 13 character ASCII string with
the first two characters being the salt value. The standard algoithm 
also only uses the lower 7 bits of each character. You (or the program)
can ask the library to use the more modern/secure MD5 algorithm by
giving the special salt value '$1$' + 8 chars. MD5 passwords can be 
longer than 8 chars and are generally considered more secure.

 Ralf Mattes

> Scott
> 
> Justin wrote:
> > 
> > I tested this on Apache 1.3.20 and I got the same thing. Put in my
> > login name and my password plus a couple keyboard mashes and it logged
> > in fine. Dunno how someone could abuse this though cause they would
> > still need the real password...definitely interesting though.
> > 
> > Justin
> > 
> > > Check this out:
> > >
> > >      If you .htpasswd a directory/site with apache 1.3.19, log in
> > with the
> > > correct username and (password + any characters thereafter) you will
> > be
> > > logged in.  I tried this "feature" with apache 1.3.12 and it didn't
> > work.
> > >      This seems kind of stupid since somebody doesn't have to use the
> > exact
> > > password when the log in to the site you are protecting.  If you
> > password
> > > was ABCDEF and somebody tried the entire alphabet as a password they
> > would
> > > be allowed in.  How odd.  I wonder if it's just my machine.  Can
> > anybody
> > > else confirm this?
> > >
> > > Greg
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug