lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mosten at bleepyou.com (Michael Osten)
Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

> The reason why IRC servers "IRCD.config" files don't use encryption (see
> file attachment for example) is because 49 times out of 50 they do not
come
> with a GUI program.  Administrators main method of changing the
> configuration is to manually edit the file using a notepad utility.

It has nothing to do with having a GUI or not.  You obviously have no
concept of Unix permissions, so using a unix analogy should be avoided in
the future.  The config file that you speak of would be set to only be
readable and/or writable the user running the daemon.  Even the existance of
that password in the config file woud lend it self a bad design as every
application in (linux at least) can have hooks to PAM and use the same
encrypted password.  If the password *was* in the config file, to read this
file, you would need that users priviledges, or priviledges greater than
that user.  If you have either, crypting the password would be a bit
pointless (not to say that people don't do it).

I'm not even going to touch the "notepad utility" comment.


> Overuse in the use of encrypted passwords can be counter productive to
> functionality.
> There are good reasons to keep passwords clear text passwords to better
> interface with other software.
> For example Merak Mail server software
> (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
> When using this mail server, it can store the accounts on an SQL Server.
> The passwords are stored clear text.  This enables other software to
> interface with its data to create and sync its accounts/passwords with
other
> systems.


No, No, No.  Bad design, stupid design.  I've never heard of your or "Merak
Mail" software, but thanks for pointing them out.  I can avoid both steaming
piles of crap.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ