Okay, but should it be _allowing_ this as a password or don't you think that it should reject it? There is a very big difference between 'webmaste' and 'webmaster23445' in terms of security, as I just found out.

The reasoning for my use of CRYPT is that most of my users are still from when VPOPMAIL didn't support MD5. But in terms of this situation, the base64 password that the user sends would likely be better decode_base64()'d and then compared against the clear-text password.


From: "Paul L. Allen" <[EMAIL PROTECTED]>
Subject: [vchkpw] Re: SMTP-Auth bug in passwords?
Date: Wed, 10 Sep 2003 13:30:27 GMT

Mike Miller writes:

> Nope. Not using MD5 passwords.

That would explain it then.  As Tom said, DES-style crypt ignores
after the first eight characters of the password.  MD5-style crypt has a
higher limit, from memory I believe it's something like 126.

Paul Allen
Softflare Support

The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail

Reply via email to