Bugtraq mailing list archives
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Chris Adams <cmadams () hiwaay net>
Date: Fri, 8 Jun 2001 14:25:46 -0500
Once upon a time, Peter Ajamian <peter () pajamian dhs org> said:
While crypt password authentication is not in and of itself very secure, Network Sulotions have made it even less so by including the first two characters of the password as the salt of the encrypted form. While the
This is not new; I believe that it has come up before.
If you must use CRYPT-PW then the following suggestions are recommended: - Password should be at least 10 characters in length.
Pointless, as the algorithm will only look at 8 characters.
- The password should contain a combination of upper and lower case as well as numbers and preferably some other symbols. - Do not use any dictionary words, proper names, or other easily recognizable character sequences or forms of them in your password.
Those are general good password recommendations.
- The first two characters of your password should be _completely_ unrelated to the rest of the password and should not provide any hints as to what the balance of the password may be.
Good idea.
- If you have access to and know how to use your own crypt generating program you should be able to substitute your own encryption for that provided by Network Solutions on the form. If you can do this it is recommended that you use a random salt to generate your password or at least one that is unrelated to the password itself (note I did not test this to see if Network Solutions would accept such a substitution of passwords on thier form but the method by which the scheme is implemented suggests that it should work) (note if you try this you may have to convince Network Solutions phone reps to try the password even though the first two characters don't match when you give the password over the phone).
Doing the crypt yourself is a bad idea (I did this). Every time we've had to get on the phone with them, they would NOT accept that the first two characters of the password were not the same as the first two characters of the encrypted password. We have to go back and find the encryped version and give them the first two characters of that. This also means that anyone with your encrypted password can probably call up and have changes made (since they know what NetSol believes is the first two characters). -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Current thread:
- Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Barney Wolff (Jun 11)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Tyler Walden (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Chris Adams (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Len Sassaman (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter W (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter Ajamian (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Peter van Dijk (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability Wichert Akkerman (Jun 11)
- <Possible follow-ups>
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability jkohl (Jun 10)
- Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability aleph1 (Jun 08)