Hello everybody, today while I was entering my password at my Ubuntu 8.10 login desktop, by mistake I entered one character more than the actual password. Voila! I had successfully logged on to my user desktop. Everything was working fine. I noticed this was also the case when using administrative applications in ‘System -> Administration’. It also exists for ‘sudo’ (root user) commands used in the terminal. This is a big security vulnerability.
The login is successful if whenever password is entered correctly upto eight characters (or less for smaller passwords), irrespective of length of password.
Login is unsuccessful if password entered wrong upto eighth character.
Suppose if my password is ‘calculator’
Entering following password will give successful login:
Many other combinations are possible. The only condition is that the password should correct upto eight characters or less for smaller password.
I didn’t find any bug in launchpad regarding this. So I have filed a bug. Click here to view the status of the bug at Launchpad.