http://www.theregister.co.uk/content/55/20594.html
Wow... That's not good for most of us here...
Some of the systems that include default two-character passwords (and thus might be vulnerable if the affected software is used) are Red Hat Linux 6.1 through 7.1, Solaris 2.6 through 2.8, HP-UX 10.20, HP-UX 11.00, Caldera Linux 2.4, and SuSE Linux 6.4 through 7.0. Solaris systems are particularly vulnerable to the exploit, which would be trivial for hackers to pull off on Sun servers running the affected software.
sbrad
07-24-2001, 04:53 PM
Figures.
Because of weak password authentication to the SSHD2 daemon it's been discovered that accounts with password fields consisting of two or fewer characters can be compromised using any password, including an empty password.
Seems to me as long as passwords are 3+ characters, it should be ok then, right?
node9
07-24-2001, 04:57 PM
woohoo
Systems using OpenSSH are not affected by the issue.
thank god
:D
JeremyL
07-24-2001, 05:17 PM
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
sbrad
07-24-2001, 05:21 PM
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
hehe
Most people are going to make their password whatever their dog's name is...so if their dog is named 'bob', then that's the password, no matter what.
Planet Z
07-24-2001, 05:24 PM
Originally posted by JeremyL
Why in the world would anyone make a password that short anyway. You might as well not even have one if thats the case.
You mean one letter passwords are... bad?
:D
JeremyL
07-24-2001, 05:32 PM
Originally posted by Planet Z
You mean one letter passwords are... bad?
:D
Oops, did I give away the secret?
drhonk
07-24-2001, 06:49 PM
OpenSSH is better anyways ...
XTStrike
07-25-2001, 03:52 AM
i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"
e.g:
lets say my password is : "ab" (without quotes) i presume thats vulnerable
OR
Is it passwords as follows: "abababababab" (without quotes)
or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.
but anybody using only two chars in a password in just looking for trouble.
can anybody clarify the situation?
Tim Greer
07-25-2001, 06:55 PM
Originally posted by xtstrike
i was actually wondering if this vuln was "TWO Char Passwords" OR "Passwords CONTAINING ONLY TWO Chars"
e.g:
lets say my password is : "ab" (without quotes) i presume thats vulnerable
OR
Is it passwords as follows: "abababababab" (without quotes)
or is it something completely different? i mean my password is like over 13 characters, I presume it is in no way vulnerable.
but anybody using only two chars in a password in just looking for trouble.
can anybody clarify the situation?
"it's been discovered that accounts with password fields consisting of two or fewer characters can be compromised using any password, including an empty password."
Any moron that used two or fewer characters for a password, deserves what happens. Besides the point, you could use a brute force password cracker over the Internet, and we're only talking a max of about 2 minutes to gain access to any account that uses a 2 character password anyway -- so why bother to worry about an exploit? That's ridiculous. Also, I don't see or know of too many people that are paying to use SSH 3, when OpenSSH is free and works well.
microsol
07-26-2001, 01:05 PM
Here's another article:
http://www.zdnet.com/zdnn/stories/news/0,4586,5094560,00.html
Originally posted by node9
Systems using OpenSSH are not affected by the issue.
phew! *pantpantwipesweat* :D
