I was logging into a VM on a computer at work. The VM was Linux Debian 2.30.2.
I discovered that I could input my password, followed by garbage, and it would be accepted.
How is this considered acceptable password authentication?
I mean, cow and cowabunga are NOT the same word.
How common is this, sort of half assed authentication?
There was no Debian 2.30.2 release; there was a Debian 2.0, 2.1, and 2.2 that were released more than 10 years ago. I'm guessing you are talking about the version of GNOME (your desktop environment) which has nothing to do with authentication.
Most Debian systems use PAM for authentication. Your password is checked against a salted key-strengthened hash that is stored in /etc/shadow next to your name.
You'll typically see a line in that file (this is not a real password; just dumbpass created for a fake account that's already deleted):
fake:$6$qaPTEvGg$XCMFzng5TQotiK4Whr4a0F/87.h5KK3kTO1R4Ysr6G8Ej42JZaJynYSG1uBWikQwlWhOPNNHOQgMFd6Kt.1rx/:15725:0:99999:7:::
where the account name is fake, followed by the salted-hash of the keystrengthened password in the form $id$salt$encrypted encoded in a base64-like encoding (base64 using the symbols [a–zA–Z0–9./]), followed by a colon and then some more numbers (these numbers relate to settings about when the password was last changed/needs to be changed/will expire/etc.) The id=6 above means that I am using SHA512-crypt, which basically does 5000 rounds of SHA-512 salted-hashes before saving my password. See man 3 crypt and man shadow for more details as well as this page on SHA512-crypt.
Most modern systems (e.g., anything from this century) use stuff similar to this; possibly using MD5-crypt (which still will check against the entire password).
It seems however you are using a very antiquated DES scheme to check against your password that is known to only check against the first 8 characters (bytes) of the password. From man crypt:
In the MD5 and SHA implementations the entire key is significant (instead of only the first 8 bytes in DES).
Your salted hash should start with a $1$ (MD5-crypt), $2a$ (bcrypt), $5$ (sha256 crypt), or $6$ (sha512 crypt), and if it doesn't that means you have a DES hash (which is a scheme dating back to the late 1970s and should not be used any time after the late 1990s when it became feasible to break DES in days).
You can begin using a better solution by altering your PAM password settings and then updating your password using the command passwd. The settings are in /etc/pam.conf or possibly in the directory /etc/pam.d/ in a file named common-password (may vary slightly by distro). The relevant section of my file looks like:
password [success=1 default=ignore] pam_unix.so obscure sha512
This enables pam_unix.so for password authentication, using sha512-crypt as the algorithm to check passwords against. (obscure forces passwords to pass a couple checks to reject overtly simple passwords -- e.g., words from a dictionary). Now if pam_unix.so is not find-able on your system it may default back to using DES passwords (you may have to install "libpam-modules" which has pam_unix.so though any reasonable distro will come with this preset up). Personally, I think this mistake is huge that modern systems could potentially be set up to use DES with raising huge red flags of weakness after each successful login; similar to what happens if you try making certain secure files world-readable.
Additionally there is a very small possibility you found a new bug in crypt/PAM; e.g., possibly if your password contained certain unicode characters in an unexpected encoding with null bytes. (Note DES passwords not being able to handle unicode properly is one of their known flaws; but again a modern scheme like sha512crypt unicode passwords should be securely handled.)
