Bugtraq mailing list archives
Re: Insecure handling of NetSol maintainer passwords
From: jogata () NODC NOAA GOV (Jefferson Ogata)
Date: Tue, 9 Nov 1999 14:49:48 -0500
I have also noticed a problem with Network Solutions' handling of passwords for CRYPT-PW authentication: when you submit the password initially, the form they generate with their New Contact Form web system runs the password you enter through crypt(), but the first two characters of the encrypted value (the salt) are the same as the first two characters of the password, indicating they use the password as its own salt. This dramatically limits the usefulness of encrypting the password in the first place, since you've already given away the first two characters, and probably hamstrung the whole algorithm at the same time. (More advanced crypto people than I can comment on this.) In any case, this is definitely the wrong way to do it. I re-encrypted my password with different salt when submitting it and this appeared to work fine. But Network Solutions should be generating a random salt value; not storing a portion of the password unencrypted in their database as the salt. Most people won't even notice, and very few will know how to generate their own properly salted value. -- Jefferson Ogata <jogata () nodc noaa gov> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
Current thread:
- Windows NT Spooler Service., (continued)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)
- Re: FreeBSD 3.3's seyon vulnerability Bill Fumerola (Nov 09)