Not documented anywhere in the FAQ; TigerVNC passwords (and likely its authentication methods) are entirely insecure.

• Passwords are limited to 8 characters in length, even if you specify 20.

  • Extra characters are silently ignored and TigerVNC pretends they're useful.
  • Try it!: Enter only the first 8 characters of your password to log in.

• Passwords are stored on the server in DES encrypted (effectively plain text).

  • In Windows: HKEY_LOCAL_MACHINESOFTWARETigerVNCWinVNC4Password

• This weakness has been known for at least 11 years and is readily exploited with common tools.

  • (details) https://www.raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-password/
  • (download) https://www.raymond.cc/blog/wp-content/plugins/download-monitor/download.php?id=232
  • (download) http://aluigi.org/pwdrec/vncpwd.zip
  • (virustotal) https://www.virustotal.com/#/file/9d773bd8045688eb8fbb0baa0dfe161aef1a1feb1a4a696289b13e99707270c9/detection

Passwords should be stored, at minimum, as a one-way hash that cannot be decrypted. They do not need to be decryptable for any practical purpose. Anyone can brute force an 8 character password, even without gaining momentary access to the local system.

Results 1 - 99 of 99 Download Eyeshield 21 Full Episode Sub Indo P| Fast Mirrors| dxWapOJZvj. Download eyeshield 21 sub indo mp4 solidfiles, download.

That would be nice, but the protocol unfortunately requires the password to be known to the server so we cannot hash it. So any improvements here would require a protocol extension, and getting that widely deployed among other VNC implementations.

As for warning about the length, we already have #370 for that. So I'm afraid I'll close this as a duplicate, unless you have something more tangible to suggest for changing the authentication.

If the security of TigerVNC cannot be improved because it must be backwards compatible with intrinsically insecure VNC protocols of 20 years ago, then that should be documented on the head of every article on the website in bold red lettering. I was unable to find any overt or easy to find mentions about the weaknesses mentioned above: DES, 8 character max, stored insecurely where malware regularly scrape passwords.

Does TigerVNC even thwart high-speed brute force password tries and failure attempts?

Similarly, TigerVNC as a project needs to decide whether it wants to stick to being an obsolete backwards compatible program, or a modern and secure program, in a formal statement and liability waiver. There is clearly not enough urgency to discourage people from using TigerVNC. The site requires a statement that implores people to stop using this software, toot sweet.

My remarks are anything but snarky. You also mistaken users who submit feedback, bug reports and security advisories as 'programmers who need to fix it for themselves or shut up.' This is not the case.