Over on Paul Jones' webblog today, he has a brief mention of a situation he discovered with crypt() and htpasswd.

In working with Solar today, I discovered an issue related to the crypt() function and password files generated by Apache htpasswd. Technically, it's not a security issue with either of those fine programs, because they do work as documented and intended. However, due to my own ignorance of the limitations of crypt(), I created a security issue of my own; perhaps this post will help others avoid it.

Now here's the thing about crypt() - effectively, it only looks at the first 8 characters of the password to generate the encrypted hash. [...] Thus, if you have a password *longer* than 8 characters, as long as the first 8 characters match, crypt() will call it a valid match.

Seems like this could be a real problem and a security hole in an application choosing to use the crypt() functionality. Has anyone else seen this (or come up with a workaround for it)?