[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

Scott Howard scott at doc.net.au
Tue Mar 11 08:08:22 EST 2014


Isn't this how it has to work, given what the domain password is?

AUDA will also email you your password just by asking -
http://admin.auda.org.au/passwordMail/PasswordMail

Nowhere does there seem to be any real indication that these are stored in
"cleartext".  The claim that "If the credentials were stored on the server
in an encrypted format, it is unlikely they could be automatically
decrypted by a mailout program to be sent in cleartext" is bogus (although
you could argue that having the key available to the same system as the
encrypted data leaves is as good as cleartext - but that is NOT what they
are saying).

And "28 bit" crypto?  Umm.. no.  the linked website clearly says "128 bit"
and has for at least a year according to the Way Back Machine.

  Scott




On Mon, Mar 10, 2014 at 1:45 PM, Peter Lawler <ausnog at bleeter.id.au> wrote:

> It occurs to me that some on noggers may not have previously been aware of
> this. But now that it's 'in the news', etc.
>
> http://www.itnews.com.au/News/374095,melbourneit-stores-
> domain-passwords-in-cleartext.aspx
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140310/1891f474/attachment.html>


More information about the AusNOG mailing list