Hi All,
I've just noticed that if I mess up my webwork password after the eighth character, the password is still accepted.
I'm wondering if this is intended or necessary or unintended or fixable.
When looking into this I noticed a bunch of 255's floating around in the various database modules. This seems relevant, but I haven't been able to chase through exactly why this behavior occurs.
Thanks,
Jason
Ok, well it looks like this occurs because perl's crypt() function uses C's crypt function whose default algorithm only looks at the first 8 characters.
It appears that it is possible to use SHA-256 or SHA-512 algorithms in crypt(). This would have the advantage that the encoded version would depend on users entire password rather than the first 8 characters. Maybe only cryptPassword() in Utils.pm would have to change? On the other hand, there would have to be some way to be allowed to use the existing encoded password until the user changes it.
Jason
It appears that it is possible to use SHA-256 or SHA-512 algorithms in crypt(). This would have the advantage that the encoded version would depend on users entire password rather than the first 8 characters. Maybe only cryptPassword() in Utils.pm would have to change? On the other hand, there would have to be some way to be allowed to use the existing encoded password until the user changes it.
Jason