I don't know whether this is actually a problem or not. I did tell the IT administrators but I got no reply and nothing was done.
At my university, everyone has a logon account. I discovered that it would accept my password if I added a random string after it.
So if my password was
password
It accepts
password123
passwordhvgFghvjej36277
And so on. It does not accept anything like
passwor
133password
It only works if the password is correct and begin the phrase.
Is this a big problem? Surely if they are hashing the passwords, adding an extra character will change the hash?
答案 0 :(得分:0)
This will happen if they cut off the password after a certain maximum length. Not really good practice, but unfortunately not uncommon.
So what gets hashed (hopefully they do hash!) is just a fixed-length prefix of what you entered.
Of course, it could also mean that they just store a fixed-length truncated clear-text password. That would be terrible.