Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Passwords longer than 8 characters

Any features you would like to see in UltraVNC? Propose it here
Post Reply
Jinx_Dojo
8
8
Posts: 8
Joined: 2009-06-08 22:25

Passwords longer than 8 characters

Post by Jinx_Dojo »

Did I miss something? Is there a reason that passwords are limited to only 8 characters? I understand there are additional options such as MS-Logon, as well as the encryption plugin, but still, why is there an 8 character limit on standard passwords? In an age where more and more programs are forcing minimum lengths, I would think UltraVNC would at least allow for up to 32 if not 64 character passwords.
Last edited by Jinx_Dojo on 2009-06-08 22:37, edited 1 time in total.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Passwords longer than 8 characters

Post by Rudi De Vos »

rfb protocol == passwd 8 chars
Changing this would break compatibility with all other (unix,mac,ce)
viewers and servers.
Jinx_Dojo
8
8
Posts: 8
Joined: 2009-06-08 22:25

Re: Passwords longer than 8 characters

Post by Jinx_Dojo »

Perhaps I'm underestimating such a change, but, from an end-user perspective: wouldn't a simple "break RFB protocol and allow passwords > 8 chars" checkbox work? Servers could then chose to maintain compatibility or not. I've been using RealVNC for a while, and somehow it manages to allow longer passwords, so I can only assume they deemed the added security worth amending the protocol. (Or, perhaps their client/server Of course, I'd much rather use UltraVNC, as it seems to have more features, but I have to say that the setup for proper, secure use over the internet is somewhat confusing (as is the website, unrelatedly). This is particularly the case if one does not wish to use MS-Logon.

Anyway, the last thing I want to do is criticize the project: I applaud the developers for their work and hope they continue to make it better and easier for everyone. I really think the option to lax the 8 character standard would be beneficial overall. Thank you for taking the time to consider my suggestion.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Re: Passwords longer than 8 characters

Post by Rudi De Vos »

I've been using RealVNC for a while, and somehow it manages to allow longer passwords
Are you sure it is using more then 8 chars... or just allow you to enter it.
In the old versions, you could enter more, but internal only the first 8 where used.
Setting 12345678ABC as pass or 12345678 was just the same.

We block at 8 because i didn't liked this behaviour. It's better that people
know only 8 are used then giving them the idea that there server is protected with a 30 char passwd.

Anyway, without encryption even 64 chars are not save.
If you can sniffer the net, you just can record the encrypted string and use a special viewer that allow to enter this string...
Jinx_Dojo
8
8
Posts: 8
Joined: 2009-06-08 22:25

Re: Passwords longer than 8 characters

Post by Jinx_Dojo »

I don't have the source code, of course, so I can't say for sure, however when I enter only the first 8 characters of my password in the viewer, it does not allow me on. I suspect additional tests would prove that no variation of my 11 character password would be accepted, so I would guess it uses the full password, or, if not, hashes the password into a CRC or something.
It's better that people
know only 8 are used then giving them the idea that there server is protected with a 30 char passwd.
Agreed. But it's even better to actually protect their server with a 30 character password. :)
Anyway, without encryption even 64 chars are not save.
Indeed. But 8 characters is particularly subject to brute force even with encryption. Even 2 additional characters would take passwords well beyond the current realm of brute forcing.

Unrelatedly, it'd be nice to clearly see when a connection is encrypted via some icon (in both the screen viewer as well as the logon dialog), so one using the viewer knows whether or not his/her password is being sent in the clear. I am particularly confused when the MSRC4 plugin states it hasn't found a key file and is therefore "using password," since I don't know if that means it's still secure or not, or to what degree.
Post Reply