Dear Inter7 Developer:
I recently discovered the following security drawback in vpopmail with
vchkpw authentication:
No matter how long you set the password to when adding a new user, only the
first 8 characters of the password are used. So for example, if I do:
./vadduser [EMAIL PROTECTED] this-is-hard-to-guess-234234235-23423
and then I try to login to my email as user "test" and password "this-is-",
it would let me in.
As you may already know, any password below 8 characters is considered
insecure, even if it was a combination of letters, numbers, and special
characters. In other words, Standard DES crypto is used :(
Best Regards,
Tamer Hassan
