warn about maximum VNC password length #370
Comments
|
The standard vnc authentication is a textbook example of how not to do passwords. It contains numerous design flaws including truncation, which would explain what you are seeing. Anyone trusting a plain or vnc password without some sort of channel encryption is unprepared to face an attacker more sophisticated than ... well words fail. At least with security=none you know how little security you have. |
|
And if you happen to have the time, do you have any suggestions what could make a safe and good solution that allows me to connect to the built in os x screen sharing, and vica versa? So far Tiger with standard is the only one I found to work. I wouldn't want to install another service since this is available on any machine around by default, and I also haven't made up my mind to set up vpn only for this either. I know this might be kind of off topic, therefore I value your input even more. |
|
Apple's screen sharing isn't really VNC compatible, so I would recommend a client that is specifically written for that server. No idea how the security is in the different varieties though. |
CendioOssman
changed the title
|
#1762 implements a check for |
Hey there!
I have a shared OS X / Win10 desktop pc, and I wanted to be able to reach Windows also, so I installed x64 1.7.0 . Set up Standard VNC authentication, and tested it with RealVNC from my iPhone, only to notice it connected without entering the password.
The phone has a 20+ char long saved password for OS X, that starts, but is not the same as Windows'. Is the password being cut before verifying? If there is a limit to password length a user notification would be important when setting it.
Or if there is no such thing, then I have no idea why it lets me in and that's a worrying thought.
What could be the cause?
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: