HMS password security

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
katip
Senior user
Senior user
Posts: 785
Joined: 2006-12-22 07:58
Location: Istanbul

HMS password security

Post by katip » 2009-10-09 21:21

A message from ASSP mailig list:
(...)A lesser, but still real, problem is that it's actually very hard to
have a truly secure password - that the user is able to remember. For
example, some years ago, an MTA crashed, badly. I used one of the
cracking tools, and fed it with all the usernames and known passwords.
In 10 minutes, it had successfully cracked 87% of the passwords! After
24 hours of running, we had cracked all but a dozen passwords. We called
those customers and asked them their passwords, and were up and running
again.

BTW: Even more fun - hMailServer for one appears to be unable to process
passwords that contain punctuation characters, if those passwords are
applied using a script - e.g. from a web form. So much for secure passwords!
without comment :roll:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: HMS password security

Post by martin » 2009-10-09 21:50

I just tried using =%!"#/(.;?) as password and that appears to work fine. I applied it using WebAdmin and had no problems logging on SquirrelMail using it.

If you send me a private message with his email address, I can contact him and ask what the problem is.

I would guess that at least 5% of all users have some kind of punctuation characters in their password (myself included). It would seem strange if none of those had reported a problem here that it was not possible to log on using such passwords.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: HMS password security

Post by martin » 2009-10-13 19:46

I have discussed it with him. In short, he told me that he set the password using hMailServer Administrator, and that it was not possible to authenticate using that password in web scripts.

It doesn't make sense that the problem would only effect web scripts, since hMailServer doesn't know or care whether the connecting SMTP client is a web script or an email client such as Outlook Express.

If there was a general issue that users having password with punctuation characters would not be able to authenticate in web scripts, I'm pretty sure more people would have noticed and mentioned it. I suggested to him that maybe the problem can be related to something else, such as encoding of non-ascii characters in the web script. He haven't gotten back to me on that though.

Unless he gets back to me what character he used and didn't work, I won't spend more time on it.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: HMS password security

Post by sheffters » 2009-10-13 19:54

I'd guess if it's a script thing the special characters weren't being escaped properly.

S.

Post Reply