[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

Joseph Goldman joe at apcs.com.au
Thu Mar 20 16:54:14 EST 2014 

There is also a difference between storing in clear text and retrieving 
back to clear text.

A database exposure may not give a hacker any useful data, and a more 
in-depth knowledge of how the particular registrars and/or auDA's 
systems are run, along with hacking/retrieval of multiple assets may be 
needed to successfully compromise customer passwords.

I think the news article in question is more referencing that Melbourne 
IT store the password in cleartext in the DB, so only DB data exposure 
would be required to compromise customers domains.

On 20/03/14 16:45, Seamus Ryan wrote:
>
> Yup
>
> http://www.ausregistry.com.au/tools/recover-password
>
> Sends the password to the registrant, via email, in plain text. 
> MelbourneIT (or any registrar for that matter) could do all the 
> hashing or encrypting of the domain password they want, you would 
> still be able to use that Ausregistry page to obtain the password in 
> plain text. Granted there have been recent improvements to .au domain 
> security (such as .auLOCKDOWN) to protect against unauthorised domain 
> modifications, that isn't what we are talking about here.
>
> It's nothing new.
>
> -Seamus
>
> *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf Of 
> *Shane Short
> *Sent:* Thursday, 20 March 2014 4:34 PM
> *To:* Robert Hudson
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] MelbourneIT stores domain passwords in 
> cleartext - iTnews.com.au
>
> I think you'll find Ausregistry stores them in plain text, too. I had 
> one for a domain I'd planned to transfer a while ago.. went to the 
> Ausreg page to get it sent to me and I got the same password sent to 
> me (so it's obviously not regenerated when you request it). I think 
> it's probably unfair to target Melbourne IT specifically.
>
>
>
>     *Robert Hudson* <mailto:hudrob at gmail.com>
>
>     20 March 2014 9:47 am
>
>     Sorry to drag this old thread up - but I can confirm that
>     MelbourneIT aren't alone in storing domain auth passwords in
>     cleartext - I've just received an email from Europe Registry
>     (http://www.europeregistry.com/) with a domain auth password
>     contained within it in cleartext.
>
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>     *Peter Lawler* <mailto:ausnog at bleeter.id.au>
>
>     11 March 2014 4:45 am
>
>     It occurs to me that some on noggers may not have previously been
>     aware of this. But now that it's 'in the news', etc.
>
>     http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/9ce03ee1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/9ce03ee1/attachment.jpg>

More information about the AusNOG mailing list