Problem with tilde character in password

Question

Problem with tilde character in password

I've discovered an odd bug in 10.5.8 (updated from my 10.5.6 Retail copy) where a tilde in a password field fails to get passed to a remote macintosh.

Using a password such as abc~xyz is valid for setting up an account and logging into the system (or sudo/admin access).

It does not work when authenticating to a 10.5 system remotely from another 10.5 system for any of the following that I've tried: AFP, ssh, sftp or ftp (both from command line or from an application such as CyberDuck), and Screen Sharing.

It does work, however, when authenticating into a 10.5 system (as a user whose password has a tilde) from a system running 10.4.

To reproduce:
On system 'A' running 10.5, create a user 'resu' with the above password.
On system 'B' running 10.5, try to access the 'resu' user account on 'A'.
This should fail.
On system 'C' running 10.4, try to access the 'resu' user account on 'A'.
This should work.

PowerBook G4, Mac Mini 1.67GHz, Mac OS X (10.5.8), G4 runs 10.4.11

Posted on Sep 19, 2009 6:59 PM

Reply

Answer 1

Kappy

Level 10

362,007 points

Sep 19, 2009 8:03 PM in response to thebobcampbell

For what it's worth: It's best to avoid special characters in passwords and stick with alphanumerics and the underscore (no spaces either.)

I know this doesn't reflect the situation you've described, but the above avoids a lot of potential problems when it comes to passwords.

Reply

Answer 2

Oct 4, 2009 2:12 PM in response to Kappy

I disagree. Being able to use any printable character is important for strength, as it expands the space of all possible passwords.

Aside from that, the system should be handling passwords with gloves. It should not be evaluating anything in the password. The fact that a tilde is getting dropped (or otherwise mishandled) denotes that the system is not just passing the password along. This is the kind of thing that could become a security issue; if you know a tilde in a password will produce a certain behavior, it could be a foot in the door to the system.

Reply

Answer 3

Kappy

Level 10

362,007 points

Oct 4, 2009 2:24 PM in response to thebobcampbell

Well, I don't wish to debate the issue. Choosing good passwords in Mac OS X presents Apple's overview of passwords. If you're sure there is a bug in the handling of certain passwords then I suggest you report it here: Feedback.

Reply

Answer 4

Oct 5, 2009 1:10 PM in response to thebobcampbell

I would suspect it is to do with the remote connection. You don't say precisely 'where' the tilde is lost. Is it at your end (Mac?) or somewhere in the probably Windows servers involved in the remote. In an earlier OS my PB baulked at 3 key characters. It took two key characters. I have passwords that use all the 'normal' characters and the shift + top row things. I also do definitely use tildes. I haven't tried a tilde with a web mail password but the 'top row' works.

Test the permutations. If we are about user PWs (my working hypothesis), set up a test user. You can always change the PW with th boot disk.

Reply

Answer 5

Oct 15, 2009 6:58 PM in response to Kappy

my favorite password trick USED TO BE a space and then a backspace (or delete) which then looked to anyone as an empty or blank password because there was no asterisks in the password area. but if someone else (a bad guy) tried using no password on my account, it of course didnt match. i think somehow the space and backspace was taken as 4 characters (space, backspace, carriage return and linefeed) which of course at that time was the minimum # of characters allowed. unfotunately that was the old days on another system. ,,,, just sharing .... i miss using that trick nowadays

Reply