[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au
scott at doc.net.au
Thu Mar 20 16:59:07 EST 2014
On Wed, Mar 19, 2014 at 10:54 PM, Joseph Goldman <joe at apcs.com.au> wrote:
> I think the news article in question is more referencing that Melbourne IT
> store the password in cleartext in the DB, so only DB data exposure would
> be required to compromise customers domains.
That is what they are claiming. However the claim appears to be made based
on the fact that they are able to obtain the clear-text password, not on
any actual proof that it's stored in clear-text.
They even explicitly quote the fact that MelbIT claim to encrypt all data
with "28-bit" (sic, it's actually 128 bit on their website) encryption, but
still claim that it's obviously stored in clear-text.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AusNOG