Opened 11 years ago

Closed 6 years ago

#7670 closed defect (invalid)

notebook -- evidently only the first 6 characters are significant???

Reported by: was Owned by: was
Priority: major Milestone: sage-duplicate/invalid/wontfix
Component: notebook Keywords:
Cc: Merged in:
Authors: Reviewers: Karl-Dieter Crisman
Report Upstream: N/A Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Description

Hi,

There is a password issue with sage notebook account. Please read below:

Sameer

On Fri, Dec 11, 2009 at 1:22 PM, Sameer Regmi <> wrote:
> On Fri, Dec 11, 2009 at 1:16 PM, Ondrej Certik <> wrote:
>> On Fri, Dec 11, 2009 at 1:12 PM, Sameer <> wrote:
>>> Hi I have found a weird issue with FEMhub online lab account. Let's
>>> say my password is "nevada". Then whenever I enter any text (in
>>> password field) with nevada as the prefix it will login. That means if
>>> I enter nevada123 (or whatever as the suffix) it will
>>> login.
>>
>> Seems like a bug in the Sage notebook. Could you please try to verify
>> this against sagenb.org and if the problem is in there as well,
>> could you please report it to the sage notebook list?
>
> Exactly! Its the bug in Sage notebook. The issue is there in sagenb.org too.
> I even can login with "nevad" if the password is of nevada. I am
> reporting to sage notebook list
>
> Sameer

Change History (9)

comment:1 Changed 11 years ago by mpatel

Could the problem be sagenb.notebook.user.User's use of crypt:

>>> import crypt
>>> crypt.crypt('abcdefgh', 'aa')
'aaHHlPHAM4sjs'
>>> crypt.crypt('abcdefghi', 'aa')
'aaHHlPHAM4sjs'

?

comment:2 Changed 11 years ago by mpatel

But crypt supports whatever the OS's underlying crypt(3) supports. We could instead do, e.g.,

import crypt as c, random as r
salt = repr(r.random())[2:]
'77551456940940877'
c.crypt('abcdefgh', '$6$' + salt + '$')
'$6$7755145694094087$uW0RGjvJG3I.BDFKIAieUTPZkD4IGI6b8RtLt1fZ9czR0TefjriLwRGPItgPyZogDFsy.YorN24v2GM4YrBwK0'
c.crypt('abcdefghi', '$6$' + salt + '$')
'$6$7755145694094087$txEQuYAJlZ.042gqmPTeLSczXBv1sI6kSjzpbmU7o89rh.Tk7qUGHhLHtL1GIrVXmUdFrQBuIefktTTptuEq31'

If Linux and Mac OS X, at least, both support SHA-512, I suggest we use it by default. Should we generate each user's pseudo-random "salt" --- used to avoid clustering --- differently than above?

comment:3 Changed 7 years ago by jdemeyer

  • Milestone changed from sage-5.11 to sage-5.12

comment:4 Changed 7 years ago by vbraun_spam

  • Milestone changed from sage-6.1 to sage-6.2

comment:5 Changed 7 years ago by vbraun_spam

  • Milestone changed from sage-6.2 to sage-6.3

comment:6 Changed 6 years ago by vbraun_spam

  • Milestone changed from sage-6.3 to sage-6.4

comment:7 Changed 6 years ago by kcrisman

  • Milestone changed from sage-6.4 to sage-duplicate/invalid/wontfix
  • Reviewers set to Karl-Dieter Crisman
  • Status changed from new to needs_review

I cannot replicate this, and it is so old I am going to ask to close this.

comment:8 Changed 6 years ago by kcrisman

  • Status changed from needs_review to positive_review

comment:9 Changed 6 years ago by vbraun

  • Resolution set to invalid
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.