warn about maximum VNC password length #370

Open
GereeNice opened this Issue Oct 19, 2016 · 3 comments

Projects

None yet

3 participants

@GereeNice
GereeNice commented Oct 19, 2016 edited

Hey there!

I have a shared OS X / Win10 desktop pc, and I wanted to be able to reach Windows also, so I installed x64 1.7.0 . Set up Standard VNC authentication, and tested it with RealVNC from my iPhone, only to notice it connected without entering the password.

The phone has a 20+ char long saved password for OS X, that starts, but is not the same as Windows'. Is the password being cut before verifying? If there is a limit to password length a user notification would be important when setting it.

Or if there is no such thing, then I have no idea why it lets me in and that's a worrying thought.

What could be the cause?

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/38521257-warn-about-maximum-vnc-password-length?utm_campaign=plugin&utm_content=tracker%2F3557444&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F3557444&utm_medium=issues&utm_source=github).
@hildred
hildred commented Oct 19, 2016

The standard vnc authentication is a textbook example of how not to do passwords. It contains numerous design flaws including truncation, which would explain what you are seeing. Anyone trusting a plain or vnc password without some sort of channel encryption is unprepared to face an attacker more sophisticated than ... well words fail. At least with security=none you know how little security you have.

@GereeNice

And if you happen to have the time, do you have any suggestions what could make a safe and good solution that allows me to connect to the built in os x screen sharing, and vica versa? So far Tiger with standard is the only one I found to work. I wouldn't want to install another service since this is available on any machine around by default, and I also haven't made up my mind to set up vpn only for this either.

I know this might be kind of off topic, therefore I value your input even more.

@CendioOssman
Member

Apple's screen sharing isn't really VNC compatible, so I would recommend a client that is specifically written for that server. No idea how the security is in the different varieties though.

@CendioOssman CendioOssman changed the title from Service accepts different password to warn about maximum VNC password length Oct 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment