[AusNOG] MelbourneIT stores domain passwords in cleartext - iTnews.com.au

Robert Hudson hudrob at gmail.com
Thu Mar 20 17:01:20 EST 2014


Technically, yes there is a difference.

Once a system is compromised and the encryption key available, there is no
difference as far as the end result is concerned.
On 20/03/2014 4:54 PM, "Joseph Goldman" <joe at apcs.com.au> wrote:

>  There is also a difference between storing in clear text and retrieving
> back to clear text.
>
> A database exposure may not give a hacker any useful data, and a more
> in-depth knowledge of how the particular registrars and/or auDA's systems
> are run, along with hacking/retrieval of multiple assets may be needed to
> successfully compromise customer passwords.
>
> I think the news article in question is more referencing that Melbourne IT
> store the password in cleartext in the DB, so only DB data exposure would
> be required to compromise customers domains.
>
> On 20/03/14 16:45, Seamus Ryan wrote:
>
>  Yup
>
>
>
> http://www.ausregistry.com.au/tools/recover-password
>
>
>
> Sends the password to the registrant, via email, in plain text.
> MelbourneIT (or any registrar for that matter) could do all the hashing or
> encrypting of the domain password they want, you would still be able to use
> that Ausregistry page to obtain the password in plain text. Granted there
> have been recent improvements to .au domain security (such as .auLOCKDOWN)
> to protect against unauthorised domain modifications, that isn't what we
> are talking about here.
>
>
>
> It's nothing new.
>
>
>
> -          Seamus
>
>
>
>
>
>
>
> *From:* AusNOG [mailto:ausnog-bounces at lists.ausnog.net<ausnog-bounces at lists.ausnog.net>]
> *On Behalf Of *Shane Short
> *Sent:* Thursday, 20 March 2014 4:34 PM
> *To:* Robert Hudson
> *Cc:* ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] MelbourneIT stores domain passwords in cleartext
> - iTnews.com.au
>
>
>
> I think you'll find Ausregistry stores them in plain text, too. I had one
> for a domain I'd planned to transfer a while ago.. went to the Ausreg page
> to get it sent to me and I got the same password sent to me (so it's
> obviously not regenerated when you request it). I think it's probably
> unfair to target Melbourne IT specifically.
>
>
>
>      *Robert Hudson* <hudrob at gmail.com>
>
> 20 March 2014 9:47 am
>
> Sorry to drag this old thread up - but I can confirm that MelbourneIT
> aren't alone in storing domain auth passwords in cleartext - I've just
> received an email from Europe Registry (http://www.europeregistry.com/)
> with a domain auth password contained within it in cleartext.
>
>
>
>   _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>   *Peter Lawler* <ausnog at bleeter.id.au>
>
> 11 March 2014 4:45 am
>
> It occurs to me that some on noggers may not have previously been aware of
> this. But now that it's 'in the news', etc.
>
>
> http://www.itnews.com.au/News/374095,melbourneit-stores-domain-passwords-in-cleartext.aspx
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing listAusNOG at lists.ausnog.nethttp://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/2630cbdd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140320/2630cbdd/attachment.jpg>


More information about the AusNOG mailing list