Item6097: Password check system with big problem.

Actually, I don't really know why this is happening, but with default configurations the password can only be 8 chars length.

You can register any password length, but when you login it only checks the first eight chars.

Like this.

You register this password: password1234, and then you try to login with only password and voyalá, it works. We implemented a workaround, that is mainly just limit the size of the password to 8.

Please, let's investigate this as soon as possible.

Other issue is that we strongly belive that a strengh meter and strengh validator is a feature that cannot be ignored.Nowdays weak password is one of the main threats to a website. We also implemented something to deal with it. So, if there is any interest in implementing this feature, we can help.

-- TWiki:Main/JoaoMadrid - 23 Oct 2008

this is a known fact of how apache htpasswd's work. its not due to TWiki.

see http://httpd.apache.org/docs/2.2/programs/htpasswd.html

TWiki provides several options in configure as to what encryption method to use for passwords - we're mostly limited by the knowledge of the installers, who expect TWiki to just work on their system.

you also havn't provided any information wrt your setup, so I'm presuming you've just used the default?

-- TWiki:Main.SvenDowideit - 23 Oct 2008

Joao. Contribitions are always welcome. For sure we will like to hear how you have chosen to improve this.

-- TWiki:Main.KennethLavrsen - 24 Oct 2008

SvenDowideit

Actually, as long as I concern, htpasswd supports 255 chars in length. And as I said before, I'm using default configurations indeed.

The problem isn't this issue... but is Twiki ALLOW the user to register longer passwords, and than only checks the first 8 chars. It compromises all the strengh of a password.

Here is a little explanation of what must happen to have a good password:

we got a password stored at $passwordA

checking $TWiki::cfg{MinPasswordLength} is the first thing.

After, comes the fun.

We must check against the basic rules of a strong password:

Must contain letters, numbers and special chars.

Must NOT be based upon Name or WikiName

And after we also check against a dictionary of easy words and sequences like 12345

Actually we got a lot of power with this method. Perfoming all the tests individualy, we can set a password strengh value, and modify it conforming it pass or not in the tests.

I have a funcional Register.pm working with this criterias.

And I modified the TwikiRegistration to only allow 8 chars in password.

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

SvenDowideit

Just to reafirm. I tested the bug here in the main site and it applies here also.

I changed my password to 12345678qwer and I managed to login just with 12345678.

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

this is a known fact of how apache htpasswd's work. its not due to TWiki.

see http://httpd.apache.org/docs/2.2/programs/htpasswd.html

(to quote from the linked page)

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

and crypt() is what is used by apache's htpasswd by default.

The fact that TWiki's site has been using htpasswd since the dawn of time (and only recently stopped using apache's inbuilt auth), does not change the (unhappy) fact that this is how it is expected to work.

What you have is a good enhancement, but it is not a bug - I say this because every year someone 'finds' it, and every year, it is explained (by someone other than me) the history of the situation.

did you perhaps notice that on your site, you can (rather than crippling your system to 8 characters), you can use htdigest form or md5 or md5-crypt, or several others that will not be limited to the first 8 characters?

Yes, it would be nice to change the default, but so far there has always been strong resistance to breaking existing sites, or further increasing the complexity of installation.

To re-iterate - I think you have a useful enhancement here, and one that we would love to see written about in Codev, to be added either as a Plugin, or straight into the next major release.

-- TWiki:Main.SvenDowideit - 24 Oct 2008

But did you notice that is wrong to fool the user, the user creates a strong password and ends up with something that he didn't want.

For example:

saopaulo98*HiJsamba!

is very good pasword, but, the real password ends up to be saopaulo, a very week password.

I think Twiki must notice the user, or just blocks more chars when using crypt()...

Think well, would you like to know that you bank password of 15 chars are being cut to 8 chars? And it not even notice you?

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

Yes, I know of the reality of the compromise that is made. And I also think hard of the trouble users have when they try to change between apache auth and template auth.did you perhaps notice that on your site, you can (rather than crippling your system to 8 characters), you can use htdigest form or md5 or md5-crypt, or several others that will not be limited to the first 8 characters?

Yes, it would be nice to change the default, but so far there has always been strong resistance to breaking existing sites, or further increasing the complexity of installation.

To re-iterate - I think you have a useful enhancement here, and one that we would love to see written about in Codev, to be added either as a Plugin, or straight into the next major release.

Remember if TWiki is configured to use ApacheLogin, it is not up to TWiki how the password is used. TWiki needs to write a htpasswd file that Apache is happy to use.

-- TWiki:Main.SvenDowideit - 24 Oct 2008

I agree that with this point of view it isn't a bug, but I think the user must be warned of it.

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

I will give a look at Codev and write it their. And I will give some tries with the other crypt forms.

I must warn that MD5 is very easy to create colisions. Nowdays, 20 minutes and we can break a password.

Just to inform you guys:

http://www.mscs.dal.ca/~selinger/md5collision/

The best alternative is SHA1... 160b... better than MD5

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

it feels to me like you've not read the docco, nor looked at the existing configuration options:

(from configure)

Password encryption, for the TWiki::Users::HtPasswdUser password manager. You can use the htpasswd Apache program to create a new password file with the right encoding.

crypt
    is the default, and should be used on Linux/Unix.
sha1
    is recommended for use on Windows.
md5
    htdigest format - useful on sites where password files are required to be portable. In this case, the {AuthRealm} is used with the username and password to generate the encrypted form of the password, thus: user:{AuthRealm}:password. Take note of this, because it means that if the {AuthRealm} changes, any existing MD5 encoded passwords will be invalidated by the change!
plain
    stores passwords as plain text (no encryption).
crypt-md5
    Enable use of standard libc (/etc/shadow) crypt-md5 password (like $1$saltsalt$hashashhashhashhash...$) which are stronger than the crypt paswords, salted, and the salt is stored in the encrypted password string as in normal crypt passwords. 

{Htpasswd}{Encoding}δ

and thats ignoring the external authentication systems we interface to.

The default is only chosen for maximum compatibility with Apache.

-- TWiki:Main.SvenDowideit - 24 Oct 2008

Actually I read, and I'm perfoming some tests with md5.

Where should I deploy the suggestion on coddev?

any suggestion?

-- TWiki:Main.JoaoMadrid - 24 Oct 2008

We started the discussion here in codev:

http://twiki.org/cgi-bin/view/Codev/TWikiPasswordStrength

-- TWiki:Main.JoaoMadrid - 27 Oct 2008