Bugtraq mailing list archives

Re: Plain text passwords--necessary

From: vandry () MLINK NET (Phillip Vandry)
Date: Mon, 19 Apr 1999 11:10:20 -0400

First, plain text passwords are being used is places where they need not
be. For example the recent post about the Real Media server storing
plain text passwords. There is no reason for the server to store
plain text passwords. It can store a hash and authenticate users
against the hash.


It's the old PAP versus CHAP debate. *YES*, there is reason for the
realmedia server to store the password in plaintext (although it
should still obfuscate it to prevent accidental viewing). I always
like to compare the types of PPP authentication to show this:

Method  Client     Wire       Server
------  ---------  ---------  ---------
PAP     Clear      Clear      Encrypted
CHAP    Clear      Encrypted  Clear

And I don't think we can do better than that. We can encrypt at only one
stage of the process. We have to make a tradeoff.

(Not that I'm saying RealMedia uses the CHAP model and encrypts over the
wire. It probably doesn't, and if that it the case, then it is indeed
stupid.)

-Phil

Current thread:

Re: Plain text passwords--necessary Francisco M. Marzoa Alonso (Apr 16)
- <Possible follow-ups>
- Re: Plain text passwords--necessary Aleph One (Apr 16)
  - Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
    - Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
    - Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
    - Re: Plain text passwords--necessary Taral (Apr 19)
  - Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
    - bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
    - Re: bug in ssh allowing to be invissible Pete (Apr 20)
    - Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
    - NetBSD Security Advisory 1999-009 matthew green (Apr 20)
    - Bash Bug Shadow (Apr 20)
    - Re: Bash Bug Marc Lehmann (Apr 21)

(Thread continues...)