Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: den () FTP LOXINFO CO TH (Densin Roy.)
Date: Tue, 20 Apr 1999 04:59:21 +0700
see http://world.std.com/~dpj On Mon, 19 Apr 1999, Trevor Schroeder wrote:
(Here's hoping this makes it past the censor ;) On Fri, 16 Apr 1999, Aleph One wrote:Lots of replies to this message but they all failed to really answer the questions raised by the original post.It seems to me that a lot of this could be avoided using tickets similar to Kerberos. We have a trusted third party (TTP) that receives your credentials once and returns a ticket for a set of services with a given lifetime. This ticket is good only within a certain context (certain services, servers, clients, times, dates, you name it and it can be rolled into the ticket). That way if the ticket is compromised, it is of limited use (versus a full blown password with may be useful in other contexts.) The client could then use the old ticket (before it expires) to get a new ticket. That way an attacker cannot get ahold of an unlimited use ticket but must continue to get new tickets from the client. (or reveal himself by registering for his own new tickets). There is another rule to obey here: have security levels associated with your passwords. This would seem to be a no-brainer, but I guess it's not. It's usually not very feasible to have a separate password for everything so people pick a few. If you do this, delegate one password (or set of passwords) as low security. Think about what kind of service this is and how your password is likely to be stored. Think about how much damage could be inflicted if blahblahblah.com accidentally lets out your chat password. Don't let passwords for systems with secure password schemes (such as UNIX) be used for those with insecure schemes such as Netscape. (Using any of those "remember my password" features violates this nostrum.) The wisdom of this rule was highlighted by this very same Real Server oops. In an attempt to demonstrate to a friend that he needed to subscribe to BugTraq, I logged in and grabbed his RS password. The disturbing thing is, I know that it's also a root password on some machines. Oops, a silly mistake has now been elevated to a catastrophe. Otherwise, use a separate password for absolutely everything and record them securely. That is to say, PGP encrypt them and take any steps necessary (such as disk wiping) to insure that it can only be recovered by someone who has the appropriate private key. Just my thoughts. ....................................................................... : Bureaucracy is the enemy of innovation. : Trevor Schroeder : : -- Mark Sheperd : tschroed () acm org : :........... http://www.zweknu.org/ for PGP key and more .............:
Current thread:
- Re: Plain text passwords--necessary, (continued)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
- Re: bug in ssh allowing to be invissible Pete (Apr 20)
- Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)
- Bash Bug Shadow (Apr 20)
- Re: Bash Bug Marc Lehmann (Apr 21)
- Re: Bash Bug Pavel Kankovsky (Apr 22)
- Re: Bash Bug Chet Ramey (Apr 22)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
- Re: Plain text passwords--necessary Densin Roy. (Apr 19)
- Re: Plain text passwords--necessary Daniel Alex Finkelstein (Apr 19)
- AOL Instant Messenger URL Crash Adam Brown (Apr 19)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)