Celebrating the 22th anniversary of the UltraVNC: https://forum.uvnc.com/viewtopic.php?t=38031
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Passwords longer than 8 characters
Passwords longer than 8 characters
Did I miss something? Is there a reason that passwords are limited to only 8 characters? I understand there are additional options such as MS-Logon, as well as the encryption plugin, but still, why is there an 8 character limit on standard passwords? In an age where more and more programs are forcing minimum lengths, I would think UltraVNC would at least allow for up to 32 if not 64 character passwords.
Last edited by Jinx_Dojo on 2009-06-08 22:37, edited 1 time in total.
- Rudi De Vos
- Admin & Developer
- Posts: 6879
- Joined: 2004-04-23 10:21
- Contact:
Re: Passwords longer than 8 characters
rfb protocol == passwd 8 chars
Changing this would break compatibility with all other (unix,mac,ce)
viewers and servers.
Changing this would break compatibility with all other (unix,mac,ce)
viewers and servers.
Re: Passwords longer than 8 characters
Perhaps I'm underestimating such a change, but, from an end-user perspective: wouldn't a simple "break RFB protocol and allow passwords > 8 chars" checkbox work? Servers could then chose to maintain compatibility or not. I've been using RealVNC for a while, and somehow it manages to allow longer passwords, so I can only assume they deemed the added security worth amending the protocol. (Or, perhaps their client/server Of course, I'd much rather use UltraVNC, as it seems to have more features, but I have to say that the setup for proper, secure use over the internet is somewhat confusing (as is the website, unrelatedly). This is particularly the case if one does not wish to use MS-Logon.
Anyway, the last thing I want to do is criticize the project: I applaud the developers for their work and hope they continue to make it better and easier for everyone. I really think the option to lax the 8 character standard would be beneficial overall. Thank you for taking the time to consider my suggestion.
Anyway, the last thing I want to do is criticize the project: I applaud the developers for their work and hope they continue to make it better and easier for everyone. I really think the option to lax the 8 character standard would be beneficial overall. Thank you for taking the time to consider my suggestion.
- Rudi De Vos
- Admin & Developer
- Posts: 6879
- Joined: 2004-04-23 10:21
- Contact:
Re: Passwords longer than 8 characters
Are you sure it is using more then 8 chars... or just allow you to enter it.I've been using RealVNC for a while, and somehow it manages to allow longer passwords
In the old versions, you could enter more, but internal only the first 8 where used.
Setting 12345678ABC as pass or 12345678 was just the same.
We block at 8 because i didn't liked this behaviour. It's better that people
know only 8 are used then giving them the idea that there server is protected with a 30 char passwd.
Anyway, without encryption even 64 chars are not save.
If you can sniffer the net, you just can record the encrypted string and use a special viewer that allow to enter this string...
Re: Passwords longer than 8 characters
I don't have the source code, of course, so I can't say for sure, however when I enter only the first 8 characters of my password in the viewer, it does not allow me on. I suspect additional tests would prove that no variation of my 11 character password would be accepted, so I would guess it uses the full password, or, if not, hashes the password into a CRC or something.
Unrelatedly, it'd be nice to clearly see when a connection is encrypted via some icon (in both the screen viewer as well as the logon dialog), so one using the viewer knows whether or not his/her password is being sent in the clear. I am particularly confused when the MSRC4 plugin states it hasn't found a key file and is therefore "using password," since I don't know if that means it's still secure or not, or to what degree.
Agreed. But it's even better to actually protect their server with a 30 character password.It's better that people
know only 8 are used then giving them the idea that there server is protected with a 30 char passwd.
Indeed. But 8 characters is particularly subject to brute force even with encryption. Even 2 additional characters would take passwords well beyond the current realm of brute forcing.Anyway, without encryption even 64 chars are not save.
Unrelatedly, it'd be nice to clearly see when a connection is encrypted via some icon (in both the screen viewer as well as the logon dialog), so one using the viewer knows whether or not his/her password is being sent in the clear. I am particularly confused when the MSRC4 plugin states it hasn't found a key file and is therefore "using password," since I don't know if that means it's still secure or not, or to what degree.