View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001041||HTML & PERL||Bug Report - Interface||public||2008-03-26 20:22||2008-03-27 21:40|
|Target Version||Fixed in Version|
|Summary||0001041: Password is limited to 8 chars, yet it's not mentioned anywhere|
|Description||Setting an account password longer than 8 characters has no effect as only the first 8 characters are taken into account.|
Example: if you set "123456789" as password you only need to type "12345678" to log in successfully.
Also if your password is 8 characters or more, anything you type after the first 8 characters to log in doesn't matter.
Example: your password is "12345678" and you type "12345678asd" to log in; the log in will be successfull.
Password limit should be mentioned both on the signup page and profile page and perhaps increased.
|Tags||No tags attached.|
This is caused by the currently used unix crypt() for password hashes.
In the long run a move to another hashing scheme is probably a good idea.
So far there are no plans to address this issue.
||i think we allow 16 characters for input though. that is indeed rather confusing exp. would need to check that first though to confirm it, but i saw some 16 character checks in adb_auth|
||knew it. twice in the code there were checks for 16 character. aside of the inconsistent maxlength of the password field. it's restricted to 8 character now for signup and password change in the profile. that should make it clear|
|2008-03-26 20:22||Indy13||New Issue|
|2008-03-26 22:52||exp||Note Added: 0001865|
|2008-03-26 23:11||DerIdiot||Note Added: 0001866|
|2008-03-27 21:40||DerIdiot||Note Added: 0001873|
|2008-03-27 21:40||DerIdiot||Status||new => resolved|
|2008-03-27 21:40||DerIdiot||Resolution||open => fixed|
|2008-03-27 21:40||DerIdiot||Assigned To||=> DerIdiot|