Password vulnerability in OS X

Discussion in 'Mac Help/Tips' started by arogge, Jul 11, 2003.

  1. arogge macrumors 65816

    arogge

    Joined:
    Feb 15, 2002
    Location:
    Tatooine
    #1
    I just found a vulnerability in the OS X password security. I can bypass the exact password as long as the password is correct up to the second to last character. For example, if the password is "Macintosh", the system will accept any of the following as valid:

    "Macintos"
    "Macintosh"
    "Macintos[char++]"
    "Macintos[int++]"
    "Macintosh[char++]"
    "Macintosh[int++]"
     
  2. altivec 2003 macrumors regular

    Joined:
    Feb 8, 2003
    Location:
    Texas
    #2
    Re: Password vulnerability in OS X

    That sounds scary... fortunately if you password is long enough it would take a lot to get it up to the last digit. Thats pretty strange though. I guess if I had a 1 letter password anything would work?
    Hmmmm.... You probably should report this to apple!
     
  3. phreaker57x macrumors newbie

    Joined:
    Jun 23, 2003
    Location:
    New York
    #3
    Re: Password vulnerability in OS X

    whoa. that's really weird. anyways... i only have mac os 10.1 and the password thing worked as you said except mine doesnt accept the "one digit less" one though. weird.
     
  4. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #4
    Where are you experiencing this problem? And what version of OS X are you running? I have 10.2.6 and tried this at the login screen and could only get in by typing my proper password.
     
  5. mnkeybsness macrumors 68030

    mnkeybsness

    Joined:
    Jun 25, 2001
    Location:
    Moneyapolis, Minnesota
    #5
    this worked for me at the screen saver password prompt. another issue that apple really needs to address.
     
  6. arogge thread starter macrumors 65816

    arogge

    Joined:
    Feb 15, 2002
    Location:
    Tatooine
    #6
    The 'sploit works on OS 10.1.5 and 10.2.6. The length of the password is important. The password must be longer than 7 characters for it to work.
     
  7. FredAkbar macrumors 6502a

    FredAkbar

    Joined:
    Jan 18, 2003
    Location:
    Santa Barbara, CA
    #7
    I just logged into my root user account in Terminal, and it seems that this security issue isn't just about the 2nd-to-last character in a password: my root password is 13 characters long, and as long as I get the first 8 characters right, it accepts the password even if the last 5 characters are excluded or incorrect.

    I just tried the same thing in the Finder, and it works there too.

    edit: by the way, I have 10.2.6.

    --Fred
     
  8. szark macrumors 68030

    szark

    Joined:
    May 14, 2002
    Location:
    Arid-Zone-A
    #8
    This is not an exploit, although it is not functioning as most people expect it to.

    As has been discussed in other threads before, the login panel uses an old UNIX DES login encryption method. This system has always recognized a maximum of 8 characters, no matter how long your password is.

    Hopefully in Panther, Apple will use one of the other, better encryption methods for the default login.
     
  9. arogge thread starter macrumors 65816

    arogge

    Joined:
    Feb 15, 2002
    Location:
    Tatooine
    #9
    It appears that OS X will truncate any password longer than 7 characters to only 8 characters. In other words, it's an 8-character overflow. This problem is global in that it affects the Login Window, Screen Effects, Keychain Access, and even network logon security. For anyone with long password phrases that have easily-guessable words in the first 8 characters, this is a problem. Since "MacintoshOSXIsMoreSecureThanMicrosoftWindows" only needs to be entered as "Macintosh", gaining unauthorized access is very simple with a common name attack. Of course, we all have passwords that are a combination of letters and numbers, including a mix of upper- and lower-case characters. ;)
     
  10. simX macrumors 6502a

    simX

    Joined:
    May 28, 2002
    Location:
    Bay Area, CA
    #10
    Actually, this is not entirely true. Keychain Access actually requires the full password. This issue has been documented on MacFixIt before.
     
  11. arogge thread starter macrumors 65816

    arogge

    Joined:
    Feb 15, 2002
    Location:
    Tatooine
    #11
    Weird... I accessed my Keychain with the truncated password when I was prompted by OS X as a result of changing my password.
     
  12. Nermal Moderator

    Nermal

    Staff Member

    Joined:
    Dec 7, 2002
    Location:
    New Zealand
    #12
    OK, that explains why I couldn't replicate the problem with my 6-character password. But there's nothing important on my system so I think I can wait for a fix rather than change (and subsequently forget) my password.

    It'll be interesting to try this after installing the 14/7/03 security update. It apparently fixes the 2048 character overflow in the screensaver password, but there's a (small) chance it'll fix this one too.
     
  13. sparkleytone macrumors 68020

    sparkleytone

    Joined:
    Oct 28, 2001
    Location:
    Greensboro, NC
    #13
    this is not a bug. its always been that way. it truncates your password. better yet, it just ignores everything past 8 chars.
     
  14. FredAkbar macrumors 6502a

    FredAkbar

    Joined:
    Jan 18, 2003
    Location:
    Santa Barbara, CA
    #14
    If it's not a bug, then they need to make it clear when you create your password that someone only needs to know the first 8 characters in order to "know" your password.

    --Fred
     
  15. zimv20 macrumors 601

    zimv20

    Joined:
    Jul 18, 2002
    Location:
    toronto
    #15
    every version of unix i've used -- dating to 1984 -- recognizes passwords up to 8-characters only.
     
  16. FredAkbar macrumors 6502a

    FredAkbar

    Joined:
    Jan 18, 2003
    Location:
    Santa Barbara, CA
    #16
    But many Mac users know very little, if anything, about Unix. Mac OS X is a public operating system, made for users of any level of Unix experience. Many Mac users are still learning new things about Unix.

    --Fred
     
  17. zimv20 macrumors 601

    zimv20

    Joined:
    Jul 18, 2002
    Location:
    toronto
    #17
    what was the os9 character limit? anyone know?
     
  18. szark macrumors 68030

    szark

    Joined:
    May 14, 2002
    Location:
    Arid-Zone-A
    #18
    Just to alleviate everyone's concerns, this issue is NOT present in the Panther preview. I tried setting a 9-character password, and the login window did not take the 8-character version.
     
  19. arogge thread starter macrumors 65816

    arogge

    Joined:
    Feb 15, 2002
    Location:
    Tatooine
    #19
    It looks like OS X passwords are still more secure than Windows passwords, even with an 8-character limit. I was not really able to get Keychain to accept a truncated password. When I was testing the password lengths, I set an 8-character one, was immediately prompted by iChat to enter a password into Keychain, and forgot that I had already changed it from a 9-character one. If OS 10.3 fixes the character limit, the passwords will be even more secure than they are now.

    http://news.com.com/2100-1009_3-5053063.html?tag=fd_top

    {
    Microsoft has used two encoding schemes, also known as hashing functions, to encrypt passwords. The first, known as LANManager or LANMan, was used by Windows 3.1, 95, 98, Me and early NT systems to secure passwords that were used to connect to early Windows networks.

    The LANMan scheme has several weaknesses, including converting all characters to uppercase, splitting passwords into 7-byte chunks, and not using an additional random element known as "salt." While the more recent NTHash fixes the first two weaknesses, it still does not use a random number to make the hashes more unique.

    The result: The same password encoded on two Windows machines will always be the same. That means that a password cracker can create a large lookup table and break passwords on any Windows computer. Unix, Linux and the Mac OS X, however, add a 12-bit salt to the calculation, making any brute force attempt to break the encryption take 4,096 times longer or require 4,096 times more memory.
    }
     

Share This Page