GNOME Bugzilla – Bug 320121
Remote desktop should allow longer passwords
Last modified: 2005-10-31 17:00:38 UTC
Distribution/Version: Ubuntu Vino won't let me set a password longer than 8 characters. This seems odd, especially for a service I want to expose over the internet (which is why I'm marking it as major). I don't think it's a limitation of the protocol, as RealVNC has no problem with 10 characters, at least.
It *is* a limitation of the protocol. See vino/doc/remote-desktop.txt: -- VNC uses a simple DES based challenge-response authentication scheme. In order to authenticate the client, the server sends a random 16 byte challenge and the client then encrypts the challenge with DES using the user supplied password as a key. If the response matches the expected result, the client is authenticated. Otherwise, the server closes the connection. There are a number of possible vulnerabilities with this mechanism. Firstly, the password, being limited to 8 characters, could be brute force guessed by an attacker who continually tries to authenticate using different passwords[21]. The standard way of making such attacks unfeasible is to enforce a delay between failed authentication attempts - i.e. if there has been a failed authentication attempt, delay sending the challenge to the next client who connects for a number of seconds. --- Your password is used a DES key, which is 64 bits, which is 8 characters ...