Re: Circle & SQL??

From: Daniel Koepke (dkoepke@CALIFORNIA.COM)
Date: 05/11/98

On Mon, 11 May 1998, Mark A. Heilpern wrote:

->The standard *nix crypt() function only operates on the first 8 characters of
->your password; anything beyond that is noise and not looked at. (Tho, I have
->heard of at least one crypt() library function that was significant to 16
->characters.) Also, if I'm not mistaken, characters that have the high bit
->on (not normally typable without ALT-xxx sequences) will have the high bit
->stripped before encryption.

Which still doesn't matter, because crypt() returns a 13 character
long string.  And MAX_PWD_LENGTH is used for the binary files, thus
stripping two characters off of the encrypted password.  This is most
certainly a security flaw, but not--in all likelihood--a "risk."

Allow me to explain.  There is a chance that two different strings,
encrypted using the same key, will differ _only_ by those last two
characters which are stripped off by Circle.  However, the chances of
someone being able to exploit such a conflict--to the best of my
estimations--are extremely slim.  In fact, the chances are so small
that they may as well be considered non-existent.  I still, however,
suggest that it be fixed (and, according to George, it may be in 3.1).
Remember: Anything that can go wrong, will go wrong.

-dak : Can go wrong.

     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     | |

This archive was generated by hypermail 2b30 : 12/15/00 PST