Hello,

Why does Powweb ONLY validate the first eight(8) characters and ingnore the ending of member's FTP/POP3/HTTP password for logging on the respective server? There is not any hint about above instance when we change the password in OPS.
?Why? :cool:

OPS accepts a longer password.
FTP does in fact only check the first 8 characters.
And all this time I thought I was doing good to have longer passwords. :(

But . . . you have way too much time on your hands if you found this. :)

It's coincidence. I enter a wrong password when I logging on the FTP server because I were impatient to do it. So... :D

A simple 8 character max recognised notice would be good :(

I don't think 8 character password is strong enough because the website is very important for me. :(

Originally posted by Arthur Cui
I don't think 8 character password is strong enough because the website is very important for me. :(

it depends what password you use. If I use a single character that would be 1200 possibilities. Since the user does not know how many characters you are using, this may be even more efficient.

Everyone knows maths...if you use 2 charachters that would give you 1200 x 1200 possibilities.

If a 4 digit number was not secure enough, ATM would not be available to use!!!!

After doing some more testing.

The htaccess/htpasswd password can be longer.

The ops password can be longer.

The ftp password ignores anything after 8 characters.

So for the website, it would appear the weakest link is ftp. I would suggest you can use a scrambled user as well so you would have 16 random characters, but you are stuck with your primary user as a permenant user name that cannot be disabled. And I bet most of us do not have a truely random username as our primary user.

nmsupplies - your ATM analogy is flawed. You have to enter an ATM passwrod manually, so 4 digits is quite secure. Very different than having passwords on a computer.

and . . . how do yhou get 1200 possibilities per character. my character set is much smaller than that.

Originally posted by B&T
nmsupplies - your ATM analogy is flawed. You have to enter an ATM passwrod manually, so 4 digits is quite secure. Very different than having passwords on a computer.

and . . . how do yhou get 1200 possibilities per character. my character set is much smaller than that.

That's why it is only numbers and with 4 digits. With computers you can use any existent character.

If you open Character Map and go to Times New Roman only you have 1200 characters...

Pretty hard to type those in, but I guess you could.

But something to consider if you always use the same PC to access your ftp.

Originally posted by nmsupplies
it depends what password you use. If I use a single character that would be 1200 possibilities. Since the user does not know how many characters you are using, this may be even more efficient.

Everyone knows maths...if you use 2 charachters that would give you 1200 x 1200 possibilities.

If a 4 digit number was not secure enough, ATM would not be available to use!!!!

If that's the case, be sure to let the creators of PGP (et al.) know. Silly fools use 128 for some crazy reason.

Originally posted by nmsupplies
That's why it is only numbers and with 4 digits. With computers you can use any existent character.

If you open Character Map and go to Times New Roman only you have 1200 characters...

I don't think you're getting it. The speed at which an individual could try computer passwords, not to mention automation, makes the two incomparable.

Additionally, I doubt the use of anything above the 255 ASCII (probably 127) characters.

You can create anything using the Alt Tab and the number...then depends on what charcter settings you have. Eaxmple...I can insert maltese characters.

Originally posted by KnappApps
If that's the case, be sure to let the creators of PGP (et al.) know. Silly fools use 128 for some crazy reason. The Public-key for encryption is totally different then a password used to access a system. 128 characters is necessary to protect encrypted files since there are attack methods that can guess shorter keys depending on the length of the file that was encrypted. This doesn't matter for passwords, which don't encrypt anythign, and are used once a session. It's like comparing apples to oranges.

I'm assuming that the 8 character limit is because Powweb is using FreeBSD. 8 characters is/was the maximum password length for most Unix-based systems.

It would take 2,821,109,907,456 attempts to check every combination of letters and numbers (i.e. 36^8) - a number large enough that brute force is not a realistic possibility to get access. This doesn't even include using the special characters on the keyboard.

Simply, I wouldn't worry about having 8 character password. Picking bad password (names, simple words), keyloggers and socal engineering are all much worse threats.

dudes..

Let's say you use the common basic english alphanumeric charset [26+26+10 characters, no spaces, punctuation,etc]

That's 62characters ranging from these ascii ranges: 65-90, 97-122, and 48-57

With 62 combo's of this 'common' charset used in passwords and utilising an 8character password.. Anyone who did Maths B/C in highschool can figure out probability factors quite easily...

Hence.. using my simple combination equation:
combo ^ len = num_of_combos..

simple .... there are 62 combo's per character, 8 characters is the length.. therefore: 62^8 = 218340105584896 possible combinations... about 218 billion [or for US people: 218thousand billion/ or 281 trillion?]

Hmm.. not bad I'd say.. and that's just using a simple 62combo charset.... If you had 6 digits thats: 56800235584 combinations.. Sure.. its significantly less, but hell.. its still over 56thousand million [or 56 billion for those 'special' American people among us]


Now not only this, but if you use your forum handle as your username, well, you're really just incriminating yourself aren't you? I mean, try to add some differences between your ftp username and forum handles.. it helps....

Also, you CAN actually just point your "real" root ftp user to a dummy directory [ie /htdocs/null] or even make a fake dir in your Ftp space... and then create another different username [something other than your real username] and hence the security has just been bumped up a bit more now with a seperate totally different user name, and make that new user point to your root ftp folder.....


Anyway.. enough maths for today...


BAI

Originally posted by RocketJeff
...It would take 2,821,109,907,456 attempts to check every combination of letters and numbers (i.e. 36^8) - a number large enough that brute force is not a realistic possibility to get access. This doesn't even include using the special characters on the keyboard.

Simply, I wouldn't worry about having 8 character password. Picking bad password (names, simple words), keyloggers and socal engineering are all much worse threats.....


I just read over the final part of your post and realised you too did the maths to show the figures.. Only thing is you forgot to count the fact that the passwords [even in FreeBSD] ARE case-sensitive, hence this add's another 26 characters to your 'simple' charset...

;-)