Linux user account logs in even if I enter a few characters less of the password
Ok, I just got a VPS. I created a new account in linux and set a password lets say 123456789. The problem is, it logs in EVEN if I enter 1234567 :S That is SO bizarre! And yes I checked it by changing the password. I set the password thepassword123 and tried again, and yes its logging in with thepassword. But if I enter something totally different then it doesn't log in.
Any ideas? Tell me if you need more information!
Solution 1:
Some authentication methods only rely on a hash of the first X characters (Typically 5-8) of the password.
The above completely depends on the software doing the authentication, the distro of Linux, and the software you are specifically connecting to.
It may very well be working as intended (or working as programmed) for what you're logging into.
Solution 2:
http://linux.die.net/man/8/pam_passwdqc
specifically the max option.
The maximum allowed password length. This can be used to prevent users from setting passwords which may be too long for some system services. The value 8 is treated specially: if max is set to 8, passwords longer than 8 characters will not be rejected, but will be truncated to 8 characters for the strength checks and the user will be warned. This is to be used with the traditional DES-based password hashes, which truncate the password at 8 characters.