HP Quality Centre Weak password Obfuscation

[jason () inner-security co uk]

Not a major issue, but should be noted:

The password in QC and maybe TD is obfuscated as below:

password using jason is:
PASSWORD:\0000001e\ENRCRYPTED189!206!226!219!217!

As you will see each char has a 3 digit and exclamation mark. This is not in any way random, this is static, depending 
on where the password char is in the order. Below is the output of 10 char a's, as you will see the 2nd char a is 
always 206!: so easy to map out!, if the password is blank the digits are not populated:

PASSWORD:\00000032\ENRCRYPTED180!206!208!205!204!194!184!194!212!169!

As most customers implement QC with http, HP are advising that SSL should be implemented (obviously). Please see HP's 
response below:

--------

Hello Jason,

The obfuscation was intended to conceal the passwords from casual inspection.  Https must be used if robust encryption 
is required.  We are considering modifying the product documentation to make that clear.


Yours truly,
John
john.morris () hp com
HP Software Security Response Team (SSRT)

--------