Password accepted when added characters

The most likely reason why this happens is that the system truncates passwords. To check this hypothesis, you could try to change your password to something longer and see what happens: does the system recognize "thisquitelongpassword" as "thisquitelong"? If so, the system definitely truncates passwords. If not, there may be serious issues with input validation, as highlighted by @Matthew.

While password truncation may be necessary to interact with legacy systems - which also truncate usernames, see this answer on Serverfault - in general it should be avoided, as it reduces the "password space", i.e. the number of unique passwords that can be generated.

Attackers can save a lot of resources (time,money) if they know that their target system uses truncated passwords, since they know they don't need to try passwords longer than the truncation length.

While your behavior doesn't seem malicious to me, some organizations are very sensitive about people finding flaws in their systems.

Therefore, you might try to tell your university about this, but don't stress too much your knowledge of possible attacks. Just saying something like "I read this can be sign of a security issue" should be fine. Also, don't state things in an absolute way like "this is completely unreasonable", as there may be reasons for that (for password truncation, not wrong input validation).

Obviously, don't perform too many tests, don't automate the tests, and don't carry out attacks.


It could suggest that any password hashing routine being used is either truncating the input (only using the first x characters of the password), or the comparison for correct passwords has been implemented poorly, and is only comparing the first part (this could imply either a block cipher being used to store passwords, or raw passwords being stored).

Neither situation is particularly good.

In the event of truncation, it gives a false sense of security - you might have picked a long random password, but if only they first few characters are actually being used, it isn't anywhere near as secure as you might think it is, and hence could be guessed in a brute force attack more easily. I'd hope this was the more likely explanation.

In the event of a poor comparison routine, this suggests that the developer responsible for the authentication routine was not familiar with secure development practices. By using a partial comparison (e.g SELECT * FROM users WHERE 'username' LIKE '$username%' AND 'password' LIKE '$password%'), it again increases the chances of brute force attacks working, but also suggests that other mistakes may have been made: given the above example, potentially setting a password of a' OR 1=1'-- would give an SQL injection attack. Obviously, this is a slightly contrived example, but not beyond the realms of possibility.

In the case of a block cipher being used, rather than a password hashing algorithm, the length allowed in the database may be insufficient for a long password, once encrypted. Effectively, this is truncation, but of the encrypted data, rather than of the input. The end effect is the same though: providing a long password gives a false sense of security.

Tags:

Passwords