Community Forums
Connect with us on LinkedIn
Place limit on password protect directories function for cPanel
  
Results 1 to 2 of 2
  1. 01-11-2011 03:28 PM #1
    dibarra
    dibarra is offline
    cPanel Partner NOC cPanel Partner NOC Badge
    Join Date
    Jun 2007
    Posts
    38

    Default Place limit on password protect directories function for cPanel

    Good day,

    Currently cPanel does not limit people who place passwords on their directories. This is a problem since crypt() will only hash up to 8 characters:

    "By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained. This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all
    zeros). The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose
    content is overwritten by each call."

    This is extremely confusing and frustrating for users of cPanel software, since one would expect a full password to be used when it's specified. Please add either a limit or a warning to cPanel's Password Protect Directory page to ensure that people only enter 8 character passwords. Thanks.
  2. 01-11-2011 04:23 PM #2
    cPanelDavidG
    cPanelDavidG is offline
    Technical Product Specialist cPanelDavidG's Avatar
    Join Date
    Nov 2006
    Location
    Houston, TX
    Posts
    11,189
    cPanel/Enkompass Access Level

    Root Administrator

    Default Re: Place limit on password protect directories function for cPanel

    Quote Originally Posted by dibarra View Post
    Good day,

    Currently cPanel does not limit people who place passwords on their directories. This is a problem since crypt() will only hash up to 8 characters:

    "By taking the lowest 7 bits of each of the first eight characters of the key, a 56-bit key is obtained. This 56-bit key is used to encrypt repeatedly a constant string (usually a string consisting of all
    zeros). The returned value points to the encrypted password, a series of 13 printable ASCII characters (the first two characters represent the salt itself). The return value points to static data whose
    content is overwritten by each call."

    This is extremely confusing and frustrating for users of cPanel software, since one would expect a full password to be used when it's specified. Please add either a limit or a warning to cPanel's Password Protect Directory page to ensure that people only enter 8 character passwords. Thanks.
    To clarify, on servers where the Tweak Setting "Use MD5 passwords with Apache" is set to "off" (which is no longer the default), the password should be limited to 8 characters even though longer passwords are accepted by crypt (just the 9th character and after are irrelevant to checking against crypt)?

    References:
    Password Formats - Apache HTTP Server
    https://issues.apache.org/bugzilla/s...g.cgi?id=47573
«   Setup Remote MySQL server doesnt wait long enough | [case 42766, case 45680] "Latest Visitor" Log »     
Similar Threads & Tags
Similar threads

  1. Limit the browse feature of Password Protect Directories
    By jpratt in forum Feature Requests for cPanel/WHM
    Replies: 1
    Last Post: 04-26-2011, 11:09 AM
  2. Security setup for directories using xml api - Password Protect Directories
    By nhk15 in forum cPanel Developers
    Replies: 10
    Last Post: 06-24-2010, 12:12 PM
  3. problem with Password Protect Directories in cpanel
    By Complixy in forum cPanel and WHM Discussions
    Replies: 5
    Last Post: 12-15-2009, 08:05 PM
  4. CPanel password protect directories, failure if symbols < or > are used
    By thobarn in forum cPanel and WHM Discussions
    Replies: 0
    Last Post: 03-28-2009, 08:29 PM
  5. Password Protect Directories
    By wwwnz in forum New User Questions
    Replies: 14
    Last Post: 07-04-2008, 09:35 AM
Linkedin       Facebook       Twitter       RSS       Flickr       YouTube