My honest opinion is that this is a totally unnecessary change. And a brutal one too. What difference does it make if it is 8 chars or 888 chars? It is going plaintext over the wire. For people having established systems, these functions are scattered everywhere -- in CGIs, PHPs, password changers, etc. It is not as easy as adding an "-m" to htpassword. I have to revise an entire platform for this to find out exactly where these are. Wouldn't making this optional be a better solution? Or informing people to use an older ncsa_auth? This change caused denial-of-service for many users in my system and it took 2 days to figure it out. People are not necessarily computer literates and they don't exactly point out what the problem is. They just say: "It is not working". It takes 20 emails back and forth and countless workhours to figure out what exactly is not working. This one bit me very bad! Jenny ---------------------------------------- > Date: Sun, 28 Aug 2011 22:29:18 +1200 > From: squid3@xxxxxxxxxxxxx > To: squid-announce@xxxxxxxxxxxxxxx; squid-users@xxxxxxxxxxxxxxx > Subject: [ADVISORY] SQUID-2011:2 Password truncation in NCSA using DES > > __________________________________________________________________ > > Squid Proxy Cache Security Update Advisory SQUID-2011:2 > __________________________________________________________________ > > Advisory ID: SQUID-2011:2 > Date: August 27, 2010 > Summary: Password truncation in NCSA using DES > Affected versions: Squid 3.0 -> 3.0.STABLE25 > Squid 3.1 -> 3.1.14 > Squid 3.2 -> 3.2.0.10 > Fixed in version: Squid 3.2.0.11, 3.1.15, 3.0.STABLE26 > __________________________________________________________________ > > http://www.squid-cache.org/Advisories/SQUID-2011_2.txt > __________________________________________________________________ > > Problem Description: > > DES algorithm implemented by htpasswd and crypt() in some popular > encryption libraries silently truncates passwords. Squid NCSA > authentication helper permits long and complex passwords to be > used with DES despite this well known issue. Leaving users with > a false view of their security.
