Celebrating the 22th anniversary of the UltraVNC: https://forum.uvnc.com/viewtopic.php?t=38031
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Passwordsecurity

Post Reply
Markus

Passwordsecurity

Post by Markus »

Hello Alltogether.

After having big problems with hackers using Remote desktopcontrol from windows, i needed to look around for another solution.
I found ultravnc, read the faq and read around in this forum...
After installing, ultravnc looks fine for me and it works fine for me, but i still have 3 questions. (atm i dont use this encryptionplugin)

1) Why only the first 8 letters of the password are relevant?

The password is encrypted, server sends 1 randomstring to client, and client uses this string to encrypt password before sending it.

2) Question: does this calculating (encrypting) costs enough CPU-time to make a bruteforce attack slow?

3) Has Ultravnc like in RealVNC an build-in intrusiondetection/prevention?

Well, so far only 3 small questions to this great program. :)

cheers
Markus
Top
UltraSam
Admin & Developer
Admin & Developer
Posts: 462
Joined: 2004-04-26 20:55
Contact:
Contact UltraSam

Post by UltraSam »

Hi,

1) It's history: VNC passwor is 8 chars max still the very first VNC version... and we wanted to remain compatible with all VNC flavors. That's why.
If you need stronger password authentication, either use MSLogon and/or encryption DSM Plugin (which acts as additional string authentication mechanism)
Anyway, always use a 8 chars password...

2) No. A brute force attack against a VNC server is very hard because of 3) (see below), but a "man in the middle" attack is still possible between the viewer and the server (interception of the clear challenge sent by the server to the viewer and interception of the encrypted challenge sent by the real viewer to the server using the password as encryption key => VNC password is then known as the encryption algo is public).
Solution: use the DSMPlugin or a SSH tunnel.

3) Yep, there's a blacklist mechanism preventing brute force attack by banishing IPs that try too many wrong passwords in a short amount of time. They are blacklisted for a period of time (don't have the value in mind, I must check), but it's enought to prevent a brute force attack, even on a 8 chars password.
Last edited by UltraSam on 2004-12-08 22:46, edited 1 time in total.
UltraSam
Top
Markus

Post by Markus »

Wow, this is a real fast reply.
I think i will install additionally the encryptionplugin and maybe also the MSLogon

I hope then i get rid of this hacker(s) that costs me so much time. :evil:


Thank you very much.

Cheers
Markus
Top
Post Reply

Return to “Old messages”