allowable characters in passwords

Ethan Blanton elb at pidgin.im
Tue May 5 14:53:50 EDT 2009 

Peter Saint-Andre spake unto us the following wisdom:
> On 5/5/09 11:24 AM, Ethan Blanton wrote:
> > Peter Saint-Andre spake unto us the following wisdom:
> >> After changing someone's password at the jabber.org IM service (yes, I
> >> handle lost-password requests), I noticed that Pidgin will not accept
> >> certain characters in passwords (the sticking point this time was "+").
> >> Does Pidgin allow only [a-zA-Z0-9] or somesuch?
> > 
> > I don't see anything in the code that suggests this ... what do you
> > mean by "will not accept"?
> 
> I changed this person's pw to some long hash, where the hash included
> the "+" character in the middle. I could log in as this person using
> Psi, but he could not log in with Pidgin. He reported the error as this:
> 
> > Could not establish a connection with the server:
> > Error resolving Jabber: 11001

OK ... I think that's how Windows indicates a DNS failure.  This may
not be an auth issue at all.

> Once I changed the pw again to remove the "+", he was able to log in.
> However, I also shortened the pw from 27 to 18 characters while I was at
> it, so that might have been the issue.
> 
> He also experienced this problem in Gajim and Jabbim.

As best I can tell, we care about neither length nor characters, at
least for our *internal* auth mechanisms.  (Cyrus SASL et al. may have
other ideas.)  It is possible that our md5 HMAC mishandles long keys,
I suppose.  I think we should rule out that this was an error entirely
unrelated to the password contents first, though, as it seems likely
to me that the password contents are beside the point.

If you can provide us with an account + password (or simply a
password, along with the auth mechanism being used/offered) that
fails, that might shed some more light on the topic.

Incidentally, there are others who know a lot more about XMPP auth on
this list than I do, so perhaps one of them will chime in with
something I'm missing.  I'm just looking at the code.  ;-)

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://pidgin.im/pipermail/devel/attachments/20090505/b52c45d5/attachment.sig>

More information about the Devel mailing list