BIG security hole in Mac OS X!!

S

senne

Registered
Ok, i just discovered this:


if you log in and you have to give your password

for example "2180" is my password, everything works just fine

but if you give "21800" as your password everything works just fine also!!!

I think this is a BIG security hole!!

I didn't try it with "21801" for example, i'll try it after i post this message. I'm back in 1 minute!
 
ok, it also works with every letter/number you type after your password, no mather how many you type after it.
 
Not a sercurity hole. The system uses (I believe) only up to 8 character passwords.

If you use a password with more than 8 characters, only the first 8 are used.

If you had two users, both having the same first 8 characters, but a total of 10 characters, they would both have the same password.
 
you're right! my dad and i, uses both a password of 8 carracters.


hmm, i thought i discovered THE mistake of mac os x! but appearently not :)
 
well, even if it WOULD work on a smaller number, too, which it doesn't, it'd still be about the same grade of security. it would only be a security hole for users with short passwords. :)
 
Still not the greatest UI design if I say so myself... although it is nice to have OS X allow longer passwords, if it will just ignore characters past 8, then why even bother allowing the user to put them in?

Security through obscurity isn't the greatest idea in this case.
 
seems like someone would still have to know the password either way. without the minimum of the correct choice, still no access. if you want security, then you should follow some of the guidelines for creating passwords and not simple, easy to decipher ones. sometimes things do fall on the level of effort of the user. :)
 
True, I wasn't speaking from the perspective of security, but rather UI.

I would rather have the computer let me know what is going to be used and what is ignored so I don't waste effort (the whole time = money argument). Although this flaw is rather minor UI-wise, it is a nice example of bad UI in general where you let the user needlessly waste effort when you will just throw it out the window.

Bah, I should just probably climb back into my hole and design my own apps' UIs ;)
 
Well if you need to install software, it has to have all the characthers. You can login, but I noticed you can't install things without the entire password. By install software, i mean when it asks for a password prior to installation.
 
Not allowing people to enter passwords larger than 8 characters, even though nothing more than the 8 are considered, would be breaking standards with every other unix distribution. If you're from an environment that has a few different types of unix distributions and they use the network to share passwords this could cause problems. People may think they've got a 10 character password, and when the Mac beeps at them after 8 they could assume they won't be able to log in.
 
Well, I am referring to local passwords, network passwords can be some defined length (by the protocol), but a local machine must be consistent. This little fun happy loophole just proves that it is inconsistent on a single machine, and that is just bad UI.
 
I realize this, but I was pointing out that if you had this sort of information, where you literally ignored part of it for some process, don't let the user create ignored information in the first place.

I didn't say the solution was to make the Mac limit itself to 8 character passwords EVERYWHERE, and make it so someone could only enter 8 characters for network passwords, since this is a login screen issue. If the idea of limiting a single computer's passwords is bad (which it is), then fix the login screen to use the whole password.
 
this is unix legacy, only the first 8 matter in unix style encryption. Mac OS X has a pluggable authentication module design, so that you might be authenticating against another password checker depending on the setup of the machine. Most likely the auth schema will improve in the future, but the UI will not have to.

Apple is giving you a functional and standards compliant solution right now, while being fully prepared for scalable solutions in the present and in the future. This is one that Apple got totally right in my opinion.

And, 200+ printable characters, means > 200^8 unique passwords ... > 2 quintillion.
 
You must log in or register to reply here.
Back
Top