Login page accepts only first 8 characters from the password as valid characters.

Question

In a .net application I am working on, In the login page, the passowrd box takes only the first 8 characters to validate. When I enter anything starting from 9th character and I am still successfuly logged in.

It makes no difference if the password is 8 or more characters long. Still I only need to enter first 8 characters right and then I can enter anything want.

1st Example - If the user sets his password to Machine1 - in the login page these passwords are accepted: Machine158, Machine1&5552 etc.

2nd Example - user sets his password to Wonderland-88 (in 'forgotten password' screen) - in the login page these passwords are accepted: Wonderlandy1, Wonderlanguage, Wonderlady-&1a etc.

This is definitely wrong. Only a correct password should be accepted. This is a .aspx page.

Please suggest me where would be the problem for this issue and how can I rectify this..

Thanks in advance.

Answer 1

Please suggest me where would be the problem for this issue and how can I rectify this..

• Storing a plaintext password in a VARCHAR(8) field.
• Storing SomeFunction(LEFT(password,8)) or even just LEFT(password,8)
• Someone figured out how to use ancient crypt() functionality in .NET
• Dave wrote his own code to store passwords.

To really investigate, you'll need to track down in the code just what happens when users submit the username/password.

To rectify, first read How to securely hash passwords? - though a lot of it may be refresher for you.

After that, if you want to use a pure .NET Framework function, see my answer to Is there a built in function to hash passwords in .NET?, which boils down to: Use RFC2898DeriveBytes with a random salt of 8-16 bytes (stored in plaintext) and as many iterations as you can. This is PBKDF2-HMAC-SHA-1.

If you're ok using a slight variant on a .NET Framework function, you can look at a fork of Jither's code at my github repository which allows for PBKDF2-HMAC-SHA-512 or PBKDF2-HMAC-SHA-384, both of which use 64-bit operations that reduce the advantage attackers with 2014 vintage GPU's have over defenders with 64-bit CPU based systems.

You can also try to find a .NET implementation of BCrypt or SCrypt, though be sure you trust it or test it.

Answer 2

One possibility is, that an unsafe hash function is used to hash the passwords. Maybe the application uses DES hashing (crypt function) that would explain the 8 characters.

If this algorithm is used, you should switch to a slow key derivation function like PBKDF2 or BCrypt instead. To find the relevant code, don't forget to search in SQL statements, hashing is often done there, even if it would be better placed in code.