Auf dieser Website werden Cookies gesetzt, die für den sicheren Betrieb technisch erforderlich sind. Siehe: Datenschutz

Clear text passwords...

by Thomas,
assono GmbH, Standort Kiel,


Passwords are written to a file on the client computer in clear text, if the following notes.ini variables are set:

KFM_ShowEntropy=1
Debug_Outfile=c:\pwdchange.txt


and the user changes his password.


This is a debbuging function, which got into the production code of the Notes client.


Risks:
1st If the attacker

and

2. the user restarts the Notes client


and

3. he changes his password


and

4. the attacker has access to the created
file and the ID file of the user


than

he can authenticate as this user against
the Domino server.


Defense:

Personal annotation: Forced periodic
changes of passwords are no more only risky, because the users tend to
easy passwords or to write them down...


Sources:

Huge
security hole in Notes (by Volker Weber)


Password
exposure in Lotus Notes


Response
to 'Password exposure in Lotus Notes'

Technical article IBM Notes IBM Notes Traveler Security

You have questions about this article? Contact us: blog@assono.de

Sie wollen eine individuelle Beratung oder einen Workshop? Read more

More interesting entries

Any questions? Contact us.

If you want to know more about our offers, you can contact us at any time. There are several ways to contact us for a non-binding first consultation.

assono GmbH

Location Kiel (headquarters)
assono GmbH
Lise-Meitner-Straße 1–7
24223 Schwentinental

Location Hamburg
assono GmbH
Bornkampsweg 58
22761 Hamburg

Phone numbers:
Human resources department: +49 4307 900 407
Marketing department: +49 4307 900 402

E-Mail adresses:
contact@assono.de
bewerbung@assono.de