httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <>
Subject [PATCH] Document the 8-byte crypt() restriction
Date Mon, 17 Jan 2005 09:56:37 GMT
As we all know, standard DES crypt() uses only 8 characters of the
password passed to it.  Alas, many people trip over this and expect
a long password to give them better protection. (We got security
reports for this already).

However, there are implementations which provide a concatenation of
several 8-byte-blocks. Do they still use the crypt() API? If not,
then I would propose to add one (or both) of the two attached patches:

  Add an error exit to htpasswd which bails with ERR_OVERFLOW if the
  password is too long for crypt() -- a similar exit is taken if the
  password is too long for other reasons, e.g., because it was given on
  the command line but exceeded 8kB in size.

  Document the restrictions implied by using DES crypt()


<>         |     Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730  Munich,  Germany

View raw message