RE: [squid-users] [ADVISORY] SQUID-2011:2 Password truncation in NCSA using DES

From: Jenny Lee <>
Date: Sun, 28 Aug 2011 12:30:05 +0000

My honest opinion is that this is a totally unnecessary change. And a brutal one too.
What difference does it make if it is 8 chars or 888 chars? It is going plaintext over the wire.
For people having established systems, these functions are scattered everywhere -- in CGIs, PHPs, password changers, etc. It is not as easy as adding an "-m" to htpassword. I have to revise an entire platform for this to find out exactly where these are.
Wouldn't making this optional be a better solution? Or informing people to use an older ncsa_auth?
This change caused denial-of-service for many users in my system and it took 2 days to figure it out. People are not necessarily computer literates and they don't exactly point out what the problem is. They just say: "It is not working". It takes 20 emails back and forth and countless workhours to figure out what exactly is not working.
This one bit me very bad!

> Date: Sun, 28 Aug 2011 22:29:18 +1200
> From:
> To:;
> Subject: [squid-users] [ADVISORY] SQUID-2011:2 Password truncation in NCSA using DES
> __________________________________________________________________
> Squid Proxy Cache Security Update Advisory SQUID-2011:2
> __________________________________________________________________
> Advisory ID: SQUID-2011:2
> Date: August 27, 2010
> Summary: Password truncation in NCSA using DES
> Affected versions: Squid 3.0 -> 3.0.STABLE25
> Squid 3.1 -> 3.1.14
> Squid 3.2 ->
> Fixed in version: Squid, 3.1.15, 3.0.STABLE26
> __________________________________________________________________
> __________________________________________________________________
> Problem Description:
> DES algorithm implemented by htpasswd and crypt() in some popular
> encryption libraries silently truncates passwords. Squid NCSA
> authentication helper permits long and complex passwords to be
> used with DES despite this well known issue. Leaving users with
> a false view of their security.
Received on Sun Aug 28 2011 - 12:30:22 MDT

This archive was generated by hypermail 2.2.0 : Sun Aug 28 2011 - 12:00:22 MDT