[p4] long passwords

Tony Andrew Kennah tonykennah at hotmail.com
Mon Oct 13 16:24:42 PDT 2008 

Thanks Matt - I see your point.

I think currently a P4PASSWD value is different from the value stored in 
Perforce and I question if you should be allowed to "login" at all.  If 
using external authentication, things get a little worse, the external 
system can store the correct long password and the truncated password just 
wont compare.

I like the backwards compatibility point.  I experienced such a problem when 
the tickets functionality changed from using the DNS for the server to using 
the FQDN, even so I do think its better to have things set correctly and 
bite a bullet, than live with bad.

At least we all know a little more about what's going on.

Tony


----- Original Message ----- 
From: "Matt Craighead" <matt.craighead at conifersystems.com>
To: "Tony Andrew Kennah" <tony at kennah.org.uk>
Cc: <perforce-user at perforce.com>
Sent: Monday, October 13, 2008 10:57 PM
Subject: Re: [p4] long passwords


> Tony,
>
> Right now P4 stores (according to earlier in the thread) the MD5 of the
> first 16 characters of the password, and then compares it against the MD5 
> of
> the first 16 characters of the password.
>
> If the behavior is changed to compare against the MD5 of the full 
> password,
> then if your password is >16 characters, you'd have to type only the first
> 16, or you'd get an error.  Or, you'd have to re-enter every such password
> using "p4 passwd".  These MD5s certainly couldn't be "fixed" automatically
> as part of the server upgrade, since the server doesn't know the actual
> password.
>
> I'm not sure what is transmitted over the wire, the MD5 or the plaintext
> password itself, but if the MD5 is what is transmitted (I would hope so?),
> that would add an additional level of complexity in that old clients would
> need to be upgraded also.
>
> On Mon, Oct 13, 2008 at 3:11 PM, Tony Andrew Kennah
> <tonykennah at hotmail.com>wrote:
>
>> Hi Matt
>>
>> I can't see how this Perforce fix would break anything and would really
>> appreciate to hear your theory.
>>
>> Tony
>>
>> ----- Original Message ----- From: "Matt Craighead" <
>> matt.craighead at conifersystems.com>
>> To: "Tony Andrew Kennah" <tony at kennah.org.uk>
>> Cc: <perforce-user at perforce.com>
>> Sent: Friday, October 10, 2008 10:55 PM
>> Subject: Re: [p4] long passwords
>>
>>
>>
>> FYI, P4 support has confirmed that 32-character passwords are treated as 
>> a
>>> special case.  If a password is exactly 32 characters, it is treated as 
>>> a
>>> special case and passed as a ticket without truncation.  Otherwise, if 
>>> it
>>> longer than 16 and not exactly 32, it is truncated to 16.
>>>
>>> The p4api takes care of this truncation for me on non-Unicode servers; I
>>> guess I have to replicate that logic in my own code for Unicode servers.
>>> Odd, but should work.
>>>
>>> I'd be a little concerned if this limitation/bug was "fixed", since this
>>> would break existing long passwords.  I've run into similar issues on 
>>> Unix
>>> systems that were "fixed" to support longer than 8 character passwords:
>>> all
>>> of the sudden I had to start typing only the first 8 characters of my
>>> password to be able to log in.
>>>
>>> On Thu, Oct 9, 2008 at 7:33 PM, Tony Andrew Kennah
>>> <tonykennah at hotmail.com>wrote:
>>>
>>> Matt - Thats correct, passwords are truncated to 16 characters, I've
>>>> logged
>>>> a job with Perforce about this one.
>>>>
>>>> tk
>>>>
>>>> ----- Original Message ----- From: "Matt Craighead" <
>>>> matt.craighead at conifersystems.com>
>>>> To: <perforce-user at perforce.com>
>>>> Sent: Thursday, October 09, 2008 11:50 PM
>>>> Subject: [p4] long passwords
>>>>
>>>>
>>>>  Some experiments I've just run seem to suggest that Perforce truncates
>>>>
>>>>> passwords longer than 16 characters back down to 16 characters before
>>>>> storing or comparing them.  Is this correct?  I don't see anything in
>>>>> either
>>>>> the user or administrator docs talking about a maximum password 
>>>>> length.
>>>>>
>>>>> I can put in whatever garbage I want after those first 16 characters 
>>>>> in
>>>>> the
>>>>> password, and it doesn't seem to make a difference.
>>>>>
>>>>> Note: this does *not* apply to tickets, where all 32 hex digits appear
>>>>> to
>>>>> be significant (and in fact even changing uppercase to lowercase hex
>>>>> digits
>>>>> will give you an error).
>>>>>
>>>>> I'm also seeing some particularly unusual behavior with >16 character
>>>>> passwords via the p4api, but I haven't entirely figured out what is
>>>>> going
>>>>> on
>>>>> yet, so I'll refrain from speculating as to what the issue is.
>>>>>
>>>>> --
>>>>> Matt Craighead
>>>>> Founder/CEO, Conifer Systems LLC
>>>>> http://www.conifersystems.com
>>>>> 512-772-1834
>>>>> _______________________________________________
>>>>> perforce-user mailing list  -  perforce-user at perforce.com
>>>>> http://maillist.perforce.com/mailman/listinfo/perforce-user
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> Matt Craighead
>>> Founder/CEO, Conifer Systems LLC
>>> http://www.conifersystems.com
>>> 512-772-1834
>>> _______________________________________________
>>> perforce-user mailing list  -  perforce-user at perforce.com
>>> http://maillist.perforce.com/mailman/listinfo/perforce-user
>>>
>>>
>>
>
>
> -- 
> Matt Craighead
> Founder/CEO, Conifer Systems LLC
> http://www.conifersystems.com
> 512-772-1834
> _______________________________________________
> perforce-user mailing list  -  perforce-user at perforce.com
> http://maillist.perforce.com/mailman/listinfo/perforce-user
>

More information about the perforce-user mailing list