vnc security glitch: long passwords

Ingecom - SERRE Jean-Christophe jcs "at" ingecom.com
Tue, 08 Aug 2000 17:37:18 +0000


Dave Dyer <ddyer "at" bigfoot.com> wrote:
>
>  VNC doesn't complain if you try to assign a password
> longer than it actually uses.  The security problem is
> that if you habitually use such long passwords, you may
> think you're giving each host a different password, but
> you're not.  The hazard is obvious.

I agree that VNC's password edit field should have .maxLength=8 set for
not being deluding about the entered password -- now, this password
behavior is explicitely told in the FAQ so it's up to you to RTFF...

http://www.uk.research.att.com/vnc/faq.html#q53

One may add that if all passwords starts with the same 8 chars (and now
every hacker reading this list knows that you seems to have that
habbit :-) then it wasn't that worth having "long passwords"...

--
JCS - Jean-Christophe SERRE - INGECOM France - +33 (0)1.48.34.12.34
 
Microsoft: the 51st State of America -- 52nd coming soon!
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------