> -----Message d'origine-----
> De : Mike Miller [mailto:[EMAIL PROTECTED]
> Envoyi : mercredi 25 fivrier 2004 16:12
> @ : VNC List
> Objet : RE: !!!DANGER!!!! Acute security risk! WAKE UP!!!!
>
> On Wed, 25 Feb 2004, Seak, Teng-Fong wrote:
>
> > Talking about security, there's one severe bug that needs to be
> > corrected. Months ago, someone reported that even though we could
> > define a long password, but the effective number of letters is only 8
> > (eight)!
> >
> > I've tested with VNC 4b4 and the bug is still there. Could
> > someone take a look into it?
>
> An aside: Solaris always worked this way too, but they seem to have fixed
> the problem in Solaris 9:
>
> http://www.computing.net/solaris/wwwboard/forum/4081.html
>
> Too late for me though - I think I'm going to go with Linux henceforth!
I've never wondered about this: how about in Linux? The number of effective
password is also 8? I'm not just talking about VNC login, but a normal login.
> That's a neat idea, so long as you only want to connect from one machine
> and they two machines have well-synced clocks!
Why would you think from only _one_ machine? And they don't have to have
well-synchronised clocks. The time can be a manual-input parameter :) and I could use
my own watch!
OTOH, I could set the interval to 3 minutes for each generation so I don't
really a need a well-synched machine. I just have to remind myself not to try a
password +/- 10 seconds before next generation.
I don't know how a VNC server handles session requests, but I suppose a brute
force robot tries one password before trying another one instead of initiating n
sessions at the same time. Well, you know, iterative, or else it's not called "brute
force". And I suppose it needs 1 second to try a password (ie request a session from
client, reponse from server to ask for password and a final refuse from server). So
in 3 minutes, it would have tried 300 passwords. Is it too many?
_______________________________________________
VNC-List mailing list
[EMAIL PROTECTED]
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
