01207: Short passwords not recognised?

Summary: Short passwords not recognised?
Created: 2010-06-22 00:47
Status: Closed - duplicate for PITS:01141
Category: Bug
From: Profiles
Priority: 1
Version: 2.2.17

Description: Running on Windows XP Pro sp3 WAMP server: Apache 2.2.11 MySQL 5.1.36 PHP 5.3.0

When creating a temporary password for a user using 'UserAuth II', I noticed that if a password was 3 or less characters long, when trying to login it doesn't allow the login saying 'Wrong password supplied.'

Aside from the obvious security flaws of having such short passwords, is there any reason that this would happen?

A couple weeks ago we had this conversation on pmwiki-devel. Basically there's a PHP bug in 5.3.x that makes short passwords not work.

Also note this PITS entry which refers to it.

I don't use UserAuth2, but I'm guessing they let you put the password in and then check it and since PHP doesn't return a correct value on the test they give you that error message. The long and the short is that you need to use at least 4-character passwords if you are using PHP 5.3.0<==>5.3.2. --Peter Bowers June 22, 2010, at 03:45 AM

Hi Peter,

Thanks for the info. I searched for answers on '3 chars or less', not 'shorter than 4 chars' ;)

It is interesting that when you create the password (and it must do the password compare checks) it works ok as the hash must be the same, although it compares on incorrect hashes!

I suppose I should have expected problems using WAMP - but I am limited by what is available at work!

I will ensure that all passwords are longer than 4 chars when I setup temp passwords to avoid this problem.

Thanks again,