[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

Scott Howard scott at doc.net.au
Thu Mar 20 16:59:07 EST 2014

On Wed, Mar 19, 2014 at 10:54 PM, Joseph Goldman <joe at apcs.com.au> wrote:

> I think the news article in question is more referencing that Melbourne IT
> store the password in cleartext in the DB, so only DB data exposure would
> be required to compromise customers domains.

That is what they are claiming. However the claim appears to be made based
on the fact that they are able to obtain the clear-text password, not on
any actual proof that it's stored in clear-text.

They even explicitly quote the fact that MelbIT claim to encrypt all data
with "28-bit" (sic, it's actually 128 bit on their website) encryption, but
still claim that it's obviously stored in clear-text.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140319/9a0b8174/attachment.html>

More information about the AusNOG mailing list