https://issues.apache.org/bugzilla/show_bug.cgi?id=47573
Ruediger Pluem <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P2 |P4 Component|Build |Documentation --- Comment #2 from Ruediger Pluem <[email protected]> 2009-07-24 08:19:11 PST --- (In reply to comment #0) > Creating password with more than 8 characters gets truncated. > After 8 characters the user only needs to supply the password up to the 8th > character. I even created an account on your site with 12 characters and only > had to supply 8. I fail to see a vulnerability here. I only see a documentation issue here as this limitation is not mentioned in the docs, maybe because to most Unix people it is known that passwords encrypted with crypt do not support more then 8 characters and are truncated after 8 characters. > In addition: > The man page Examples states that the htpasswd use Apache md5 by default. You > need to use the -m switch in order to use the md5 function. As you are working on Linux this is correct behaviour. The below text states explicitly and clearly that md5 is only default on Windows and crypt will be used on other systems. > "EXAMPLES > htpasswd /usr/local/etc/apache/.htpasswd-users jsmith > > Adds or modifies the password for user jsmith. The user is prompted for > the password. If executed on a Windows system, the password will be > encrypted using the modified Apache MD5 algorithm; otherwise, the sys- > tem’s crypt() routine will be used. If the file does not exist, > htpasswd will do nothing except return an error." -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
