top | item 8627395

(no title)

eksith | 11 years ago

  The McGill Password length has also been increased from exactly eight 
  characters to a variable length of eight to 18 characters.

So they're not using bcrypt (usable length 72). Even PBKDF2 would have been acceptable, but my guess is that they were sold a "layer over" on their stack with this. I can already tell this is a hacky patch.

  Every year, about 1,200 to 1,500 McGill accounts are compromised in 
  one way or another.

Phishing + guessing. I know someone who gets about 2-3 emails a week asking to enter their login info into some site in Brazil or the Czech Republic.

If every site properly salted and hashed passwords, reuse isn't even a problem. But as we know :

  - Most people choose crappy passwords.
  - Most sites use crappy hashing schemes (if they hash at all)

When other sites are compromised, there's an easy list of ready passwords to try against other potential targets.

McGill's problem isn't Heartbleed.

discuss

danudey|11 years ago

They may be artificially limiting the password length because other services which authenticate (e.g. VPNs, mail systems, older UNIX logins, administrative software, payroll, etc.) may have limits on password input fields.

eksith|11 years ago

This is why PBKDF2 would have made more sense then. They can centrally authenticate, derive a secondary token from the original pass while specifying the max limit for each of those services. Best of all, this means the mail, UNIX login etc... need not have the same login token.

cgriswald|11 years ago

On the plus side, they're telling people about the limit. I visit so many websites that will happily take passwords of arbitrary length without complaint... until you try to log in and your password doesn't work because the password you entered was too long and it truncated it.

andrewstuart2|11 years ago

It's a pet peeve of mine when a site puts a max length on characters (which is dumb itself) and then they don't put a max length on the password input later. Nothing but a regular workout for your 'forgot my password' feature.

It bothers me less now that I use a good password generator/safe, but still bothers me nonetheless.

jschwartzi|11 years ago

I have an auto loan with a company which truncates the username. It's bizarre because they'll happily let you key in the entire username when you go to log in, but it truncates when you first set your account up.

Why on earth would you ever need to truncate a username?

fabulist|11 years ago

> Phishing + guessing. I know someone who gets about 2-3 emails a week asking to enter their login info into some site in Brazil or the Czech Republic.

I think it probably has something to do with this.

https://www.mcgill.ca/it/channels/news/email-subject-interna...

eksith|11 years ago

That's pretty bad. I think those get filtered before it gets to the inbox most of the time, but the phishing continues too. This one from 2010 is pretty similar :

http://www.mcgill.ca/it/news/phishing-attack-mcgill-email-11...

baby|11 years ago

> So they're not using bcrypt

Bcrypt is not the ONLY secure solution to securely store passwords (contrarily to what everyone is trying to tell you). See Thomas Pornin's answer on SO:

http://stackoverflow.com/questions/2772014/is-sha-1-secure-f...