• Re: Packet password case insensitive or not?

    From Wilfred van Velzen@2:280/464 to Rob Swindell on Wed Apr 22 09:52:47 2020
    Hi Rob,

    On 2020-04-21 16:12:07, you wrote to me:

    SBBSecho has always treated packet passwords case-INsensitively. It is unfortuate that so many of the fido specifications were so badly
    written to begin with and the resulting ambiguities and contradictions have never been sufficiently addressed by the FTSC.

    There is no ambiguity for packet password case sensitivity. It's just not specified, so anything goes...

    Luckily, with password-protected mail sessions the norm these days,
    packet passwords are kind of moot and probably should just be
    deprecated. Doubt that'll happen though.

    I don't agree here. Packet passwords provide an extra layer of security. For instance without it, anyone can drop a .pkt file in your insecure inbound with a falsified source address and echomail in it. If you process .pkt files from your inbound automatically, it will get tossed, if there is no packet password agreeded upon for the falsified source...

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Wilfred van Velzen@2:280/464 to Paul Quinn on Wed Apr 22 10:17:59 2020
    Hi Paul,

    On 2020-04-22 12:22:58, you wrote to me:

    You can't enter mixed or lowercase into the configuration program,
    only uppercase. And when someone updates the packet password through
    areafix it's converted to uppercase before storing in the
    configuration file. So on outgoing packet files the packet password is
    always uppercase only.

    Oh the horror! There are people out there that I interface with that
    don't
    know that rule and insist on setting mixedcase. Evil people. Smelly people. Ugly people...

    On FMails side that's not a problem because it checks the passwords case insensitive.

    How they deal with it on their side is their problem. ;)

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Oli@2:280/464.47 to Wilfred van Velzen on Wed Apr 22 10:14:54 2020
    21 Apr 20 20:39, you wrote to Alan Ianson:

    I was wondering about packet passwords, are they case
    insensitive or not?

    In all my experience packet, areafix and filefix passwords have
    been case insensitive.

    I remember that we always used uppercase packet passwords. I assumed that passwords are case insensitive, but I think I never tried to use lowercase in the config.

    Packet and areafix passwords are case insensitive in FMail. But
    according to Nick there are tossers that are not...

    Crashmail and Squish use stricmp() for the packet passwords -> case insensitive.

    How does stricmp compare strings with high ascii characters?

    It has always been my hope that no one will write a tosser with
    case sensitive passwords!

    What's the problem? You can always configure the case sensitive tosser with an all uppercase (or lowercase) password to communicate with a
    case insensitive tosser.

    Right, uppercase passwords should work with every tosser.

    And that's what I'm trying to find out, if there could be a problem if
    I change FMails behaviour. I'm not seeing it, but I can't think of everything. ;)

    I would say in theory there should be less problems, if FMail were able to send
    mixed case passwords.

    Maybe we should use hex notation for the passwords, so all 255 characters can be used for better security ;).



    * Origin: kakistocracy (2:280/464.47)
  • From Wilfred van Velzen@2:280/464 to Oli on Wed Apr 22 10:33:14 2020
    Hi Oli,

    On 2020-04-22 10:14:54, you wrote to me:

    I remember that we always used uppercase packet passwords. I assumed
    that passwords are case insensitive, but I think I never tried to use lowercase in the config.

    There seems to be different kind of implementations in different tossers...

    Packet and areafix passwords are case insensitive in FMail. But
    according to Nick there are tossers that are not...

    Crashmail and Squish use stricmp() for the packet passwords -> case insensitive.

    FMail currently is too.

    How does stricmp compare strings with high ascii characters?

    On linux that depends on the locale that's set on the computer. So you can get different results on different computers.

    So another good reason to use case sensitive passwords.

    And that's what I'm trying to find out, if there could be a problem
    if I change FMails behaviour. I'm not seeing it, but I can't think of
    everything. ;)

    I would say in theory there should be less problems, if FMail were able to send mixed case passwords.

    It becomes more flexible what you can use. But maybe needs a bit more tweaking to get it right when talking to a case insensitive tosser.

    Maybe we should use hex notation for the passwords, so all 255
    characters can be used for better security ;).

    FTS-0001 Doesn't rule that out. (It just says 8 bytes for the packet password).
    ;)

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Oli@2:280/464.47 to Wilfred van Velzen on Wed Apr 22 10:44:22 2020
    I was wondering about packet passwords, are they case insensitive or not?

    When I look at the packets I receive, there are some with lower or even
    mixed case passwords.

    Crashmail sends the (mixed-case) password string exactly as configured, no conversion to uppercase.


    * Origin: (2:280/464.47)
  • From Tommi Koivula@2:221/360 to Oli on Wed Apr 22 11:57:14 2020
    Hello Oli!

    Wednesday April 22 2020 10:44, Oli wrote to Wilfred van Velzen:

    When I look at the packets I receive, there are some with lower or even
    mixed case passwords.

    Crashmail sends the (mixed-case) password string exactly as configured, no conversion to uppercase.

    GEcho does the same.

    === Begin OS/2 Clipboard ===

    Pkt-Name: 63C3463A.PKT
    OrigAddr: 2:221/360.0
    DestAddr: 2:221/1234.0
    pkt created: Wed Apr 22 12:54:48 2020
    pkt Password: Test123
    prodCode: 0061
    prodRevision 1.20
    -+--------------------------------------
    Msg: 221/360 -> 221/1234

    === End OS/2 Clipboard ===

    'Tommi

    --- GoldED+/EMX 1.1.5-b20180707
    * Origin: ---------------------------------->> (2:221/360)
  • From Wilfred van Velzen@2:280/464 to Oli on Wed Apr 22 11:25:57 2020
    Hi Oli,

    On 2020-04-22 10:44:22, you wrote to me:

    I was wondering about packet passwords, are they case insensitive or
    not?

    When I look at the packets I receive, there are some with lower or
    even mixed case passwords.

    Crashmail sends the (mixed-case) password string exactly as configured, no conversion to uppercase.

    Good to know...

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Paul Quinn@3:640/1384 to Wilfred van Velzen on Wed Apr 22 19:37:05 2020
    Hi! Wilfred,

    On 22 Apr 20 10:17, you wrote to me:

    On FMails side that's not a problem because it checks the passwords
    case insensitive.
    How they deal with it on their side is their problem. ;)

    Not a problem. I recall having trouble with -some- other packages but I cannot
    cite anything with certainty. Go ahead and make a new rule and I'll toe the line.

    Cheers,
    Paul.

    ... Blonde Borgs all have the same fun.
    --- GoldED+/LNX 1.1.5-b20130515
    * Origin: Quinn's Rock - Live from Paul's Xubuntu desktop! (3:640/1384)
  • From Rob Swindell@1:103/705 to Wilfred van Velzen on Wed Apr 22 13:15:19 2020
    Re: Re: Packet password case insensitive or not?
    By: Wilfred van Velzen to Rob Swindell on Wed Apr 22 2020 09:52 am

    Hi Rob,

    On 2020-04-21 16:12:07, you wrote to me:

    SBBSecho has always treated packet passwords case-INsensitively. It is unfortuate that so many of the fido specifications were so badly written to begin with and the resulting ambiguities and contradictions have never been sufficiently addressed by the FTSC.

    There is no ambiguity for packet password case sensitivity. It's just not specified, so anything goes...

    Yeah, that's the definition of ambiguity.

    Luckily, with password-protected mail sessions the norm these days, packet passwords are kind of moot and probably should just be deprecated. Doubt that'll happen though.

    I don't agree here. Packet passwords provide an extra layer of security. For instance without it, anyone can drop a .pkt file in your insecure inbound with a falsified source address and echomail in it. If you process .pkt files from your inbound automatically, it will get tossed, if there is no packet password agreeded upon for the falsified source...

    SBBSecho will not import echomail from an insecure inbound directory.

    digital man

    This Is Spinal Tap quote #14:
    The Boston gig has been cancelled. [Don't] worry, it's not a big college town. Norco, CA WX: 81.9F, 43.0% humidity, 6 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.10-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Wilfred van Velzen@2:280/464 to Rob Swindell on Thu Apr 23 11:34:10 2020
    Hi Rob,

    On 2020-04-22 13:15:19, you wrote to me:

    Luckily, with password-protected mail sessions the norm these
    days,
    packet passwords are kind of moot and probably should just be
    deprecated. Doubt that'll happen though.

    I don't agree here. Packet passwords provide an extra layer of security.
    For instance without it, anyone can drop a .pkt file in your insecure
    inbound with a falsified source address and echomail in it. If you
    process .pkt files from your inbound automatically, it will get tossed,
    if there is no packet password agreeded upon for the falsified source...

    SBBSecho will not import echomail from an insecure inbound directory.

    Not every system works that way...

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Wilfred van Velzen@2:280/464 to All on Tue Apr 21 13:58:58 2020
    Hi All,

    I was wondering about packet passwords, are they case insensitive or not?

    FMail has always forced them to uppercase on entry in the configuration, and does a case insensitive compare on the password contained in arrived packet files.

    fts-0001.016 just says this about the password:

    password (some impls)
    eight bytes
    null padded

    "bytes": So it could be anything, including "high ascii".

    When I look at the packets I receive, there are some with lower or even mixed case passwords.
    (So it's a good thing FMail does a case insensitive compare, otherwise it wouldn't match against the configured uppercase password)

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Paul Quinn@3:640/1384 to Wilfred van Velzen on Tue Apr 21 22:26:53 2020
    Hi! Wilfred,

    On 21 Apr 20 13:58, you wrote to All:

    "bytes": So it could be anything, including "high ascii".

    When I look at the packets I receive, there are some with lower or
    even mixed case passwords. (So it's a good thing FMail does a case insensitive compare, otherwise it wouldn't match against the
    configured uppercase password)

    This has been unsteady 'ground' for me. What is FMail doing when it's coding the forced uppercase, after having potential mixedcase entered in the setup?

    Cheers,
    Paul.

    ... Can I have what's behind curtain #2 instead?
    --- GoldED+/LNX 1.1.5-b20130515
    * Origin: Quinn's Rock - Live from Paul's Xubuntu desktop! (3:640/1384)
  • From Wilfred van Velzen@2:280/464 to Paul Quinn on Tue Apr 21 14:36:54 2020
    Hi Paul,

    On 2020-04-21 22:26:53, you wrote to me:

    "bytes": So it could be anything, including "high ascii".

    When I look at the packets I receive, there are some with lower or
    even mixed case passwords. (So it's a good thing FMail does a case
    insensitive compare, otherwise it wouldn't match against the
    configured uppercase password)

    This has been unsteady 'ground' for me. What is FMail doing when it's coding the forced uppercase, after having potential mixedcase entered in the setup?

    You can't enter mixed or lowercase into the configuration program, only uppercase. And when someone updates the packet password through areafix it's converted to uppercase before storing in the configuration file. So on outgoing packet files the packet password is always uppercase only.

    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From Alan Ianson@1:153/757 to Wilfred van Velzen on Tue Apr 21 09:47:26 2020
    Hello Wilfred,

    I was wondering about packet passwords, are they case insensitive or
    not?

    In all my experience packet, areafix and filefix passwords have been case insensitive.

    It has always been my hope that no one will write a tosser with case sensitive passwords!

    Session passwords are case sensitive but I have never seen that with packet passwords.

    Ttyl :-),
    Al

    --- GoldED+/LNX
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)
  • From Wilfred van Velzen@2:280/464 to Alan Ianson on Tue Apr 21 20:39:03 2020
    Hi Alan,

    On 2020-04-21 09:47:26, you wrote to me:

    I was wondering about packet passwords, are they case insensitive or
    not?

    In all my experience packet, areafix and filefix passwords have been case insensitive.

    Packet and areafix passwords are case insensitive in FMail. But according to Nick there are tossers that are not...

    It has always been my hope that no one will write a tosser with case sensitive passwords!

    What's the problem? You can always configure the case sensitive tosser with an all uppercase (or lowercase) password to communicate with a case insensitive tosser.

    And that's what I'm trying to find out, if there could be a problem if I change FMails behaviour. I'm not seeing it, but I can't think of everything. ;)


    Bye, Wilfred.

    --- FMail-lnx64 2.1.0.18-B20170815
    * Origin: FMail development HQ (2:280/464)
  • From mark lewis@1:3634/12 to Alan Ianson on Tue Apr 21 15:18:03 2020
    Re: Packet password case insensitive or not?
    By: Alan Ianson to Wilfred van Velzen on Tue Apr 21 2020 09:47:26


    I was wondering about packet passwords, are they case insensitive or
    not?

    In all my experience packet, areafix and filefix passwords have been
    case insensitive.

    this is because traditionally, all FTN software uppercased everything ;)


    )\/(ark
    --- SBBSecho 3.10-Linux
    * Origin: SouthEast Star Mail HUB - SESTAR (1:3634/12)
  • From Rob Swindell@1:103/705 to Wilfred van Velzen on Tue Apr 21 16:12:07 2020
    Re: Packet password case insensitive or not?
    By: Wilfred van Velzen to All on Tue Apr 21 2020 01:58 pm

    Hi All,

    I was wondering about packet passwords, are they case insensitive or not?

    FMail has always forced them to uppercase on entry in the configuration, and does a case insensitive compare on the password contained in arrived packet files.

    fts-0001.016 just says this about the password:

    password (some impls)
    eight bytes
    null padded

    "bytes": So it could be anything, including "high ascii".

    When I look at the packets I receive, there are some with lower or even mixed case passwords.
    (So it's a good thing FMail does a case insensitive compare, otherwise it wouldn't match against the configured uppercase password)

    SBBSecho has always treated packet passwords case-INsensitively. It is unfortuate that so many of the fido specifications were so badly written to begin with and the resulting ambiguities and contradictions have never been sufficiently addressed by the FTSC. Luckily, with password-protected mail sessions the norm these days, packet passwords are kind of moot and probably should just be deprecated. Doubt that'll happen though.

    digital man

    Synchronet/BBS Terminology Definition #16:
    CVS = Concurrent Versioning System
    Norco, CA WX: 70.6F, 55.0% humidity, 8 mph E wind, 0.00 inches rain/24hrs
    --- SBBSecho 3.10-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Paul Quinn@3:640/1384 to Wilfred van Velzen on Wed Apr 22 12:22:58 2020
    Hi! Wilfred,

    On 21 Apr 20 14:36, you wrote to me:

    You can't enter mixed or lowercase into the configuration program,
    only uppercase. And when someone updates the packet password through areafix it's converted to uppercase before storing in the
    configuration file. So on outgoing packet files the packet password is always uppercase only.

    Oh the horror! There are people out there that I interface with that don't know that rule and insist on setting mixedcase. Evil people. Smelly people. Ugly people...

    Cheers,
    Paul.

    ... ///\oo/\\\ There are no more bugs. ///\oo/\\\ ///\oo/\\\
    --- GoldED+/LNX 1.1.5-b20130515
    * Origin: Quinn's Rock - Live from Paul's Xubuntu desktop! (3:640/1384)
  • From Alan Ianson@1:153/757 to mark lewis on Tue Apr 21 21:19:40 2020
    Hello mark,

    In all my experience packet, areafix and filefix passwords have
    been case insensitive.

    this is because traditionally, all FTN software uppercased everything
    ;)

    I read that Internet Rex is case sensitive with packet passwords.

    I have always entered passwords in my own config in upper case.. maybe that's why I never saw any issues. I can enter the password in lower or mixed case if needed by a link but no one has ever asked me to do this.. so far.. ;)

    Ttyl :-),
    Al

    --- GoldED+/LNX
    * Origin: The Rusty MailBox - Penticton, BC Canada (1:153/757)