April-fools got me today with ESXi
Posted by DJOregano@reddit | sysadmin | View on Reddit | 44 comments
Recently we acquired a new client, and I’m currently in the process of swapping credentials across the board for all their devices.
For context; While I’m versed in VMware, it’s been a hot minute, and mostly on 6.X configurations as we’re mostly a Hyper-V centric org. They also don’t have V-center (small company of like 10 people).
Now our password repository has a built in random password generator, which on paper is great, but it uses passphrase and not random characters. This is to say instead of
“:)/!/78)hkHhrl”
I’ll get
“tomato-christian-cucumber-jesus-confused”
Now by default (and I didn’t know this) ESXi 8.0 has password complexity AND max length. So the password generated was longer than the max (40 I think) and failed to update, of which it warned me as such.
APPARENTLY it did something, cause my OG password no longer works, the new password doesn’t work, so now I’m locked out of the root account until I go onsite and fix it tomorrow…
Can you blame me? Sure, but like jfc it was a simple password change, I didn’t mean to lock the hypervisor lol.
Anyways, I got got by VMware, and I feel like a moron, so here’s to my Wednesday afternoon onsite fixing my mistake 😑
Legitimate-Break-740@reddit
Did you try reducing the new password to the maximum number of characters and using that?
Not a VMware shop, but had a Dell server pull that on me recently, except it didn't give any warnings.
AspieEgg@reddit
I feel like that should only work if the passwords are stored in plain text.
jmbpiano@reddit
Not necessarily. Sometimes the password will get truncated by whatever frontend UI is doing input validation before it ever reaches the hashing algorithm.
ZealousidealTurn2211@reddit
I experienced this with Dell iDRACs at one point. If you tried to set a password longer than their max length (20 chars if I recall) it would truncate it and then commit the truncated version as the password.
The most annoying part was Dell support being somewhat incredulous that I thought it should at least like... warn that the password was too long.
ScreamingVoid14@reddit
Or someone decided that for "security" they'd limit the input size to be less than the output size of the hash function.
llv44K@reddit
True, but it works more often than not. My bank's login does this.
dracotrapnet@reddit
I've had vendors accept a long password at reset but the login page did not. That was weird.
Remember when there's a password maximum, the password is likely not getting hashed.
narcissisadmin@reddit
I've seen that, it had truncated the password on the reset page but not the login. Grr.
DJOregano@reddit (OP)
I did, yeah. No dice :/
Tx_Drewdad@reddit
Yup. Try just the first 40 characters of the new password.
AnalStimulant@reddit
VMware and password requirements don't get along very well. I remember some internal password reset utility in vCenter could generate unusable characters (and not tell you about it) and the solution in KB was "try over and over until you hit a valid password"
DJOregano@reddit (OP)
I appreciate your input u/AnalStimulant 🙏🏼
narcissisadmin@reddit
That was one hell of a comment.
hy2rogenh3@reddit
If the host is in vCenter no need to do anything on site. Update the host profile with the new root password and move on.
ITrCool@reddit
OP said they don’t have vCenter
narcissisadmin@reddit
Is such a shituation even supported now?
1116574@reddit
There isn't really any technical reason to have a max password length, is there?
meagainpansy@reddit
I used to work at a bank that had a max password length of 8 because of some limitation with the mainframe. The min was also 8 though.
theneedfull@reddit
AS400? I remember it having crap like that.
martinmt_dk@reddit
😂 and it didn’t care about case sensitivity either. Good ol days
narcissisadmin@reddit
There are THREE systems at my work with case-sensitive usernames. Ugh.
meagainpansy@reddit
No, I don't know the model but it was small bedroom sized. This was a bank with 2000 branches.
SydneyTechno2024@reddit
I closed an account with a bank the same week that I opened it because their password policy was a fixed 6 digits in length, alphanumeric only.
AspieEgg@reddit
I know of a Canadian bank that does a 4 or 6 digit PIN for login, but it does also require MFA. But the MFA it uses only allows for text message codes. It surprises me that any bank isn’t at least offering more secure methods of authentication.
ItJustBorks@reddit
Banks are generally extremely conservative on IT matters.
meagainpansy@reddit
That's really weird actually. The limit in referring to only applied to employees. The customers had a different authentication system.
SydneyTechno2024@reddit
They fixed it in 2023 and now have a 30 character limit. Still a bit low for my tastes, I like to put 32+ into everything.
https://www.westpac.com.au/news/money-matters/2023/08/how-were-working-to-make-your-banking-safer/
I couldn’t believe it when I went to setup my account in 2017. I don’t think I ever got around to even putting money into the account.
narcissisadmin@reddit
Sure there is. Anything longer than the hashed value is guaranteed to have collisions.
Electrical_Ingenuity@reddit
The bcrypt password hashing algorithm, which is a common and secure choice, has around a 72 character limit. But this can be avoided by using a hash-a-hash approach.
ApertureNext@reddit
I’m pretty sure there are special cases that make it a bad idea to allow all 72 characters.
tankerkiller125real@reddit
It has a 73 char max, but you don't have to tell the end user about it because the algorithm will truncate on its own.
Cormacolinde@reddit
There are plenty, in fact. First you need an UI with a password box - this will have a maximum size if you want to display the password length. Even if you ignore display issues, this password box will be then stored in a variable and then a register - variables have maximum sizes. Then you need to perform mathematical operations on that password, and this can take time. You need to optimize and limit the time required to perform hashing and/or encryption operations on that password. Finally, it needs to be stored somewhere - text file (/etc/passwd), database (NTDS.dit), etc. This requires space and has processing requirements to process, once again forcing a limitation on its size.
These limits may be different depending on the system. For example, the Windows UI will limit you to 127 characters, but AD can store passwords with 256 characters internally.
Turmfalke_@reddit
There are some algorithm that do have a max length, like bcrypt has a max length of 56 bytes.
I could also see a DOS scenario in which someone tries to submit a gigabyte password.
narcissisadmin@reddit
Is it a custom password generator where you can limit the length and just sprinkle some random special characters in? Mine picks 3-6 words until it's about 20 letters long and then does exactly that.
whatever462672@reddit
My April fool's was losing grip on a server and twisting my arm. My shoulder friggin hurts. 😭
Btalon33@reddit
Were you participating in that server throwing competition?
whatever462672@reddit
I'm innocent, I swear, it jumped me!
DJOregano@reddit (OP)
Have you tried turning your shoulder off and on again?
whatever462672@reddit
Oh, it was off for a solid minute there. The real joke is that I am probably not going to deploy that server after all, since I figured how to free up space on newer hardware as i was cursing up a storm in my car.
woodsy900@reddit
Sounds like you just got yourself a server as compensation
DJOregano@reddit (OP)
Time to go full office space, grab the baseball bat
Doso777@reddit
I destroyed a sink. So.. yeah.. stuff happens i suppose.
nostradx@reddit
I’ve experienced this issue as well when changing the password through the web GUI. You need to reboot the ESXi host for the change to kick in. Never change the password in the web GUI.
fognar777@reddit
The thing I got on my April fools was that the number port for the 4 dozen or so live numbers that I had asked for a status update on days before were already ported at 8 am, except I got that email at 11, and I didn't see it till closer to 1. I got everything sorted and configured just before 3:30, so they're was only about 7 extra hours of downtime that shouldn't have happened. 🥲