Password vulnerability in OS X

[arogge]

I just found a vulnerability in the OS X password security. I can bypass the exact password as long as the password is correct up to the second to last character. For example, if the password is "Macintosh", the system will accept any of the following as valid:

"Macintos"
"Macintosh"
"Macintos[char++]"
"Macintos[int++]"
"Macintosh[char++]"
"Macintosh[int++]"

 

[altivec 2003]

Re: Password vulnerability in OS X

Originally posted by arogge
I just found a vulnerability in the OS X password security. I can bypass the exact password as long as the password is correct up to the second to last character. For example, if the password is "Macintosh", the system will accept any of the following as valid:

"Macintos"
"Macintosh"
"Macintos[char++]"
"Macintos[int++]"
"Macintosh[char++]"
"Macintosh[int++]"

That sounds scary... fortunately if you password is long enough it would take a lot to get it up to the last digit. Thats pretty strange though. I guess if I had a 1 letter password anything would work?
Hmmmm.... You probably should report this to apple!

 

[phreaker57x]

Re: Password vulnerability in OS X

Originally posted by arogge
I just found a vulnerability in the OS X password security. I can bypass the exact password as long as the password is correct up to the second to last character. For example, if the password is "Macintosh", the system will accept any of the following as valid:

"Macintos"
"Macintosh"
"Macintos[char++]"
"Macintos[int++]"
"Macintosh[char++]"
"Macintosh[int++]"

whoa. that's really weird. anyways... i only have mac os 10.1 and the password thing worked as you said except mine doesnt accept the "one digit less" one though. weird.

 

[Nermal]

Where are you experiencing this problem? And what version of OS X are you running? I have 10.2.6 and tried this at the login screen and could only get in by typing my proper password.

 

[mnkeybsness]

this worked for me at the screen saver password prompt. another issue that apple really needs to address.

 

[arogge]

The 'sploit works on OS 10.1.5 and 10.2.6. The length of the password is important. The password must be longer than 7 characters for it to work.

 

[FredAkbar]

I just logged into my root user account in Terminal, and it seems that this security issue isn't just about the 2nd-to-last character in a password: my root password is 13 characters long, and as long as I get the first 8 characters right, it accepts the password even if the last 5 characters are excluded or incorrect.

I just tried the same thing in the Finder, and it works there too.

edit: by the way, I have 10.2.6.

--Fred

 

[szark]

This is not an exploit, although it is not functioning as most people expect it to.

As has been discussed in other threads before, the login panel uses an old UNIX DES login encryption method. This system has always recognized a maximum of 8 characters, no matter how long your password is.

Hopefully in Panther, Apple will use one of the other, better encryption methods for the default login.

 

[arogge]

It appears that OS X will truncate any password longer than 7 characters to only 8 characters. In other words, it's an 8-character overflow. This problem is global in that it affects the Login Window, Screen Effects, Keychain Access, and even network logon security. For anyone with long password phrases that have easily-guessable words in the first 8 characters, this is a problem. Since "MacintoshOSXIsMoreSecureThanMicrosoftWindows" only needs to be entered as "Macintosh", gaining unauthorized access is very simple with a common name attack. Of course, we all have passwords that are a combination of letters and numbers, including a mix of upper- and lower-case characters.

 

[simX]

Originally posted by arogge
It appears that OS X will truncate any password longer than 7 characters to only 8 characters. In other words, it's an 8-character overflow. This problem is global in that it affects the Login Window, Screen Effects, Keychain Access, and even network logon security. For anyone with long password phrases that have easily-guessable words in the first 8 characters, this is a problem. Since "MacintoshOSXIsMoreSecureThanMicrosoftWindows" only needs to be entered as "Macintosh", gaining unauthorized access is very simple with a common name attack. Of course, we all have passwords that are a combination of letters and numbers, including a mix of upper- and lower-case characters.

Actually, this is not entirely true. Keychain Access actually requires the full password. This issue has been documented on MacFixIt before.

 

[arogge]

Originally posted by simX
Keychain Access actually requires the full password.

Weird... I accessed my Keychain with the truncated password when I was prompted by OS X as a result of changing my password.

 

[Nermal]

OK, that explains why I couldn't replicate the problem with my 6-character password. But there's nothing important on my system so I think I can wait for a fix rather than change (and subsequently forget) my password.

It'll be interesting to try this after installing the 14/7/03 security update. It apparently fixes the 2048 character overflow in the screensaver password, but there's a (small) chance it'll fix this one too.

 

[sparkleytone]

this is not a bug. its always been that way. it truncates your password. better yet, it just ignores everything past 8 chars.

 

[FredAkbar]

Originally posted by sparkleytone
this is not a bug. its always been that way. it truncates your password. better yet, it just ignores everything past 8 chars.

If it's not a bug, then they need to make it clear when you create your password that someone only needs to know the first 8 characters in order to "know" your password.

--Fred

 

[zimv20]

Originally posted by FredAkbar
If it's not a bug, then they need to make it clear when you create your password that someone only needs to know the first 8 characters in order to "know" your password.

every version of unix i've used -- dating to 1984 -- recognizes passwords up to 8-characters only.

 

[FredAkbar]

Originally posted by zimv20
every version of unix i've used -- dating to 1984 -- recognizes passwords up to 8-characters only.

But many Mac users know very little, if anything, about Unix. Mac OS X is a public operating system, made for users of any level of Unix experience. Many Mac users are still learning new things about Unix.

--Fred

 

[zimv20]

Originally posted by FredAkbar
But many Mac users know very little, if anything, about Unix. Mac OS X is a public operating system, made for users of any level of Unix experience. Many Mac users are still learning new things about Unix.

what was the os9 character limit? anyone know?

 

[szark]

Just to alleviate everyone's concerns, this issue is NOT present in the Panther preview. I tried setting a 9-character password, and the login window did not take the 8-character version.

 

[arogge]

It looks like OS X passwords are still more secure than Windows passwords, even with an 8-character limit. I was not really able to get Keychain to accept a truncated password. When I was testing the password lengths, I set an 8-character one, was immediately prompted by iChat to enter a password into Keychain, and forgot that I had already changed it from a 9-character one. If OS 10.3 fixes the character limit, the passwords will be even more secure than they are now.

http://news.com.com/2100-1009_3-5053063.html?tag=fd_top

{
Microsoft has used two encoding schemes, also known as hashing functions, to encrypt passwords. The first, known as LANManager or LANMan, was used by Windows 3.1, 95, 98, Me and early NT systems to secure passwords that were used to connect to early Windows networks.

The LANMan scheme has several weaknesses, including converting all characters to uppercase, splitting passwords into 7-byte chunks, and not using an additional random element known as "salt." While the more recent NTHash fixes the first two weaknesses, it still does not use a random number to make the hashes more unique.

The result: The same password encoded on two Windows machines will always be the same. That means that a password cracker can create a large lookup table and break passwords on any Windows computer. Unix, Linux and the Mac OS X, however, add a 12-bit salt to the calculation, making any brute force attempt to break the encryption take 4,096 times longer or require 4,096 times more memory.
}