| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200910231511.n9NFBXn7016083@www3.securityfocus.com> Date: Fri, 23 Oct 2009 09:11:33 -0600 From: jason@...er-security.co.uk To: bugtraq@...urityfocus.com Subject: HP Quality Centre Weak password Obfuscation Not a major issue, but should be noted: The password in QC and maybe TD is obfuscated as below: password using jason is: PASSWORD:\0000001e\ENRCRYPTED189!206!226!219!217! As you will see each char has a 3 digit and exclamation mark. This is not in any way random, this is static, depending on where the password char is in the order. Below is the output of 10 char a's, as you will see the 2nd char a is always 206!: so easy to map out!, if the password is blank the digits are not populated: PASSWORD:\00000032\ENRCRYPTED180!206!208!205!204!194!184!194!212!169! As most customers implement QC with http, HP are advising that SSL should be implemented (obviously). Please see HP's response below: -------- Hello Jason, The obfuscation was intended to conceal the passwords from casual inspection. Https must be used if robust encryption is required. We are considering modifying the product documentation to make that clear. Yours truly, John john.morris@...com HP Software Security Response Team (SSRT) --------
Powered by blists - more mailing lists