[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au
Joseph Goldman
joe at apcs.com.au
Tue Mar 11 08:31:05 EST 2014
My thoughts exactly, a domain password by design has to be retrievable,
so it can't be a one-way hash.
On 11/03/14 08:08, Scott Howard wrote:
> Isn't this how it has to work, given what the domain password is?
>
> AUDA will also email you your password just by asking -
> http://admin.auda.org.au/passwordMail/PasswordMail
>
> Nowhere does there seem to be any real indication that these are
> stored in "cleartext". The claim that "If the credentials were stored
> on the server in an encrypted format, it is unlikely they could be
> automatically decrypted by a mailout program to be sent in cleartext"
> is bogus (although you could argue that having the key available to
> the same system as the encrypted data leaves is as good as cleartext -
> but that is NOT what they are saying).
>
> And "28 bit" crypto? Umm.. no. the linked website clearly says "128
> bit" and has for at least a year according to the Way Back Machine.
>
> Scott
>
>
>
>
> On Mon, Mar 10, 2014 at 1:45 PM, Peter Lawler <ausnog at bleeter.id.au
> <mailto:ausnog at bleeter.id.au>> wrote:
>
> It occurs to me that some on noggers may not have previously been
> aware of this. But now that it's 'in the news', etc.
>
> http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140311/2ae9b9d0/attachment.html>
More information about the AusNOG
mailing list