Welcome to the MacNN Forums.

Bruck · Dec 17, 2004, 06:00 AM

I am finding a strange security flaw in OSX. Test your machine. Running 10.3.6 on 3 powerbooks here. One is an Aluminum 15 inch, 2 are Titanium 15 inch. Both Titaniums had this security flaw, but my personal one the Aluminum does not. I dont see why it would matter the hardware but test your machines to verify.

Ok here's the glitch. In order for you to succceed thru an OS X password challenge box, all you have to do is type the correct password as the begining of your entry.

Example: Your password is HAPPYDAYS32 If you enter HAPPYDAYS325544485689 as your password, it succeeds. or HAPPYDAYS322 or HAPPYDAYS32BA

So If my brother's password used to be HAPPYDAYS34 and last week he changed it to HAPPYDAYS, I can still log in without him telling me that he changed his password.

Does Apple know about this? Does it make sense that 2 out of 3 powerbooks that I've tried have this flaw? Does it matter the hardware revision or is it just a common glitch?

After testing it last night, i upgraded to 10.3.7 as I expected the test still fails on my AL15 but it always failed, I will urge my brother to upgrade to 10.3.7 and test again, please post your experiences.

cybergoober · Dec 17, 2004, 06:20 AM

I'm assuming the Titaniums were upgraded from Jaguar at some point. Jaguar and earlier versions of OS X used a different password scheme that only recognized the first 8 characters of a password.

Try changing the passwords on the problem machines and see if you get the same results...

edit: See this posting over at macosxhints.com:
http://www.macosxhints.com/article.p...41206090221302

Bruck · 07:39 AM

Thanks!!! That link explained the issue, both machines had been upgraded to jag, while my AL15 had been installed from scratch.

CatOne · Dec 17, 2004, 08:48 AM

Originally posted by Bruck:
Thanks!!! That link explained the issue, both machines had been upgraded to jag, while my AL15 had been installed from scratch.

This is standard UNIX. If you use a crypt password (which is the least secure password type), it only uses the first 8 characters of the password.

This is not a HUGE security flaw in OS X -- it's the way crypt passwords work. OS X server has additional options for passwords, but c'mon do you REALLY need a 27 character password? No.

dfiler · Dec 17, 2004, 10:09 AM

Originally posted by CatOne:
This is standard UNIX.

Sort of. Many *nix had this problem at one point but it has been mostly resolved in newer versions on most platforms.

There are various backends for user authentification. Fresh installs of 10.3 do not exhibit this insecurity. Also fixed are the non-shadowed password problems.