[p4] long passwords

Matt Craighead matt.craighead at conifersystems.com
Mon Oct 13 13:57:45 PDT 2008 

Tony,

Right now P4 stores (according to earlier in the thread) the MD5 of the
first 16 characters of the password, and then compares it against the MD5 of
the first 16 characters of the password.

If the behavior is changed to compare against the MD5 of the full password,
then if your password is >16 characters, you'd have to type only the first
16, or you'd get an error.  Or, you'd have to re-enter every such password
using "p4 passwd".  These MD5s certainly couldn't be "fixed" automatically
as part of the server upgrade, since the server doesn't know the actual
password.

I'm not sure what is transmitted over the wire, the MD5 or the plaintext
password itself, but if the MD5 is what is transmitted (I would hope so?),
that would add an additional level of complexity in that old clients would
need to be upgraded also.

On Mon, Oct 13, 2008 at 3:11 PM, Tony Andrew Kennah
<tonykennah at hotmail.com>wrote:

> Hi Matt
>
> I can't see how this Perforce fix would break anything and would really
> appreciate to hear your theory.
>
> Tony
>
> ----- Original Message ----- From: "Matt Craighead" <
> matt.craighead at conifersystems.com>
> To: "Tony Andrew Kennah" <tony at kennah.org.uk>
> Cc: <perforce-user at perforce.com>
> Sent: Friday, October 10, 2008 10:55 PM
> Subject: Re: [p4] long passwords
>
>
>
> FYI, P4 support has confirmed that 32-character passwords are treated as a
>> special case.  If a password is exactly 32 characters, it is treated as a
>> special case and passed as a ticket without truncation.  Otherwise, if it
>> longer than 16 and not exactly 32, it is truncated to 16.
>>
>> The p4api takes care of this truncation for me on non-Unicode servers; I
>> guess I have to replicate that logic in my own code for Unicode servers.
>> Odd, but should work.
>>
>> I'd be a little concerned if this limitation/bug was "fixed", since this
>> would break existing long passwords.  I've run into similar issues on Unix
>> systems that were "fixed" to support longer than 8 character passwords:
>> all
>> of the sudden I had to start typing only the first 8 characters of my
>> password to be able to log in.
>>
>> On Thu, Oct 9, 2008 at 7:33 PM, Tony Andrew Kennah
>> <tonykennah at hotmail.com>wrote:
>>
>> Matt - Thats correct, passwords are truncated to 16 characters, I've
>>> logged
>>> a job with Perforce about this one.
>>>
>>> tk
>>>
>>> ----- Original Message ----- From: "Matt Craighead" <
>>> matt.craighead at conifersystems.com>
>>> To: <perforce-user at perforce.com>
>>> Sent: Thursday, October 09, 2008 11:50 PM
>>> Subject: [p4] long passwords
>>>
>>>
>>>  Some experiments I've just run seem to suggest that Perforce truncates
>>>
>>>> passwords longer than 16 characters back down to 16 characters before
>>>> storing or comparing them.  Is this correct?  I don't see anything in
>>>> either
>>>> the user or administrator docs talking about a maximum password length.
>>>>
>>>> I can put in whatever garbage I want after those first 16 characters in
>>>> the
>>>> password, and it doesn't seem to make a difference.
>>>>
>>>> Note: this does *not* apply to tickets, where all 32 hex digits appear
>>>> to
>>>> be significant (and in fact even changing uppercase to lowercase hex
>>>> digits
>>>> will give you an error).
>>>>
>>>> I'm also seeing some particularly unusual behavior with >16 character
>>>> passwords via the p4api, but I haven't entirely figured out what is
>>>> going
>>>> on
>>>> yet, so I'll refrain from speculating as to what the issue is.
>>>>
>>>> --
>>>> Matt Craighead
>>>> Founder/CEO, Conifer Systems LLC
>>>> http://www.conifersystems.com
>>>> 512-772-1834
>>>> _______________________________________________
>>>> perforce-user mailing list  -  perforce-user at perforce.com
>>>> http://maillist.perforce.com/mailman/listinfo/perforce-user
>>>>
>>>>
>>>>
>>>
>>
>> --
>> Matt Craighead
>> Founder/CEO, Conifer Systems LLC
>> http://www.conifersystems.com
>> 512-772-1834
>> _______________________________________________
>> perforce-user mailing list  -  perforce-user at perforce.com
>> http://maillist.perforce.com/mailman/listinfo/perforce-user
>>
>>
>


-- 
Matt Craighead
Founder/CEO, Conifer Systems LLC
http://www.conifersystems.com
512-772-1834

More information about the perforce-user mailing list