Posted: Tue Jun 27, 2006 8:38 Post subject: Password on telnet: only first characters required!
I've noticed a bug: I use a rather longish password (about 16 characters, alphanumeric, caps/noncaps). When going into the router over the web interface, I have to input the whole password (doh, this is correct behaviour).
But when I telnet in, it also let's me get in with only the first about 10 characters!
I've checked: those 10 first characters have to be the correct ones, otherwise you cannot get in. But anything you type after those (nothing or some thrash) does not matter. I am sorry but I have not checked so far what the exact number of characters is that is enough.
I am using DDWRT54GL, Firmware: DD-WRT v23 SP1 Final (05/30/06) mini. _________________ If you use DD-WRT, you HAVE to make a donation! See this topic too: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=228
"
telnet and ssh uses the cypt() UNIX password. crypt() uses up to eight characters, any extra characters are discarded. There's nothing we can do about it.
The web server uses the nvram parameter "http_passwd" in clear text. This is why it is uses all characters.
"
I see... that may be a good caveat to put up somewhere in the wiki, because this means that you will not only have to make sure that your password as a whole is secure (good mix in alpha/numeric/caps/noncaps characters), but also (!) that the first 8 characters are on themselves secure enough!