<p dir="ltr">Technically, yes there is a difference. </p>
<p dir="ltr">Once a system is compromised and the encryption key available, there is no difference as far as the end result is concerned.</p>
<div class="gmail_quote">On 20/03/2014 4:54 PM, "Joseph Goldman" <<a href="mailto:joe@apcs.com.au">joe@apcs.com.au</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
There is also a difference between storing in clear text and
retrieving back to clear text.<br>
<br>
A database exposure may not give a hacker any useful data, and a
more in-depth knowledge of how the particular registrars and/or
auDA's systems are run, along with hacking/retrieval of multiple
assets may be needed to successfully compromise customer passwords.<br>
<br>
I think the news article in question is more referencing that
Melbourne IT store the password in cleartext in the DB, so only DB
data exposure would be required to compromise customers domains.<br>
<br>
<div>On 20/03/14 16:45, Seamus Ryan wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yup<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="http://www.ausregistry.com.au/tools/recover-password" target="_blank">http://www.ausregistry.com.au/tools/recover-password</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Sends
the password to the registrant, via email, in plain text.
MelbourneIT (or any registrar for that matter) could do all
the hashing or encrypting of the domain password they want,
you would still be able to use that Ausregistry page to
obtain the password in plain text. Granted there have been
recent improvements to .au domain security (such as
.auLOCKDOWN) to protect against unauthorised domain
modifications, that isn’t what we are talking about here.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s
nothing new.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Seamus<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext" lang="EN-US">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:windowtext" lang="EN-US"> AusNOG
[<a href="mailto:ausnog-bounces@lists.ausnog.net" target="_blank">mailto:ausnog-bounces@lists.ausnog.net</a>]
<b>On Behalf Of </b>Shane Short<br>
<b>Sent:</b> Thursday, 20 March 2014 4:34 PM<br>
<b>To:</b> Robert Hudson<br>
<b>Cc:</b> <a href="mailto:ausnog@lists.ausnog.net" target="_blank">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] MelbourneIT stores domain
passwords in cleartext - <a href="http://iTnews.com.au" target="_blank">iTnews.com.au</a><u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I think you'll find Ausregistry stores them
in plain text, too. I had one for a domain I'd planned to
transfer a while ago.. went to the Ausreg page to get it sent
to me and I got the same password sent to me (so it's
obviously not regenerated when you request it). I think it's
probably unfair to target Melbourne IT specifically.<br>
<br>
<br>
<br>
<u></u><u></u></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div style="margin-left:18.75pt;margin-top:22.5pt;margin-right:18.75pt;margin-bottom:7.5pt">
<div style="border:none;border-top:solid #edeef0 1.0pt;padding:4.0pt 0cm 0cm 0cm;display:table">
<div>
<p class="MsoNormal" style="vertical-align:middle"><img src="cid:part2.08010107.04080703@apcs.com.au" name="144de0e4d3ea8bf6_compose-unknown-contact.jpg" height="25" width="25" border="0"><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="vertical-align:middle"><a href="mailto:hudrob@gmail.com" target="_blank"><b>Robert Hudson</b></a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="vertical-align:middle"><span style="color:#9fa2a5">20 March 2014 9:47 am</span><u></u><u></u></p>
</div>
</div>
</div>
<div style="margin-left:18.0pt;margin-right:18.0pt">
<div>
<p class="MsoNormal"><span style="color:#888888">Sorry to
drag this old thread up - but I can confirm that
MelbourneIT aren't alone in storing domain auth
passwords in cleartext - I've just received an email
from Europe Registry (<a href="http://www.europeregistry.com/" target="_blank">http://www.europeregistry.com/</a>)
with a domain auth password contained within it in
cleartext.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#888888"><br>
<br>
<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#888888">_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><u></u><u></u></span></p>
</div>
</div>
<div style="margin-left:18.75pt;margin-top:22.5pt;margin-right:18.75pt;margin-bottom:7.5pt">
<div style="border:none;border-top:solid #edeef0 1.0pt;padding:4.0pt 0cm 0cm 0cm;display:table">
<div>
<p class="MsoNormal" style="vertical-align:middle"><img src="cid:part2.08010107.04080703@apcs.com.au" name="144de0e4d3ea8bf6_compose-unknown-contact.jpg" height="25" width="25" border="0"><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="vertical-align:middle"><a href="mailto:ausnog@bleeter.id.au" target="_blank"><b>Peter Lawler</b></a><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal" style="vertical-align:middle"><span style="color:#9fa2a5">11 March 2014 4:45 am</span><u></u><u></u></p>
</div>
</div>
</div>
<div style="margin-left:18.0pt;margin-right:18.0pt">
<p class="MsoNormal"><span style="color:#888888">It occurs
to me that some on noggers may not have previously been
aware of this. But now that it's 'in the news', etc.
<br>
<br>
<a href="http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx" target="_blank">http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx</a>
<br>
_______________________________________________ <br>
AusNOG mailing list <br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
<u></u><u></u></span></p>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
AusNOG mailing list
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div>