| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1054665328.4656.14.camel@doom.home.ludost.net> From: vasil at ludost.net (Васил Колев) Subject: Re: IRCXpro 1.0 - Clear local and default remote admin passwords ?? ?, 2003-06-03 ? 18:31, IRCXpro Support ??????: > Reply to Feedback from Darren: > > > Firstly, there has been support for storing passwords, encrypted, in > > configuration files on Unix for over 10 years, if not longer. I can > > The reason why IRC servers "IRCD.config" files don't use encryption (see > file attachment for example) is because 49 times out of 50 they do not come > with a GUI program. Administrators main method of changing the > configuration is to manually edit the file using a notepad utility. > Ok, I'll bite :) Anyone, who needs a 'gui' to edit it's ircd.conf file, and, because not having one, uses Notepad, shouldn't be doing it in the first place... There are a lot of irc networks now, and being ircadmin in one medium/small network, I can tell you, that every one, who has server in this network, uses encrypted passwords. They're easy to work with (although, a little more difficult than plaintext passwords) and everyone has mkpasswd or something else installed. In fact, if you offer a gui to config the servers, a lot of people will ask "what's the problem with the old method?" Also, there is the issue of knowing someone's password - let's say, that only one is editing the conf file, and he doesn't need and want to know the password for every oper there. So what? He just asks them for their encrypted passwords, and that's all, so even if they reuse the password that they gave you somewhere, you're safe to say that you didn't use it/leak it (although you can still sniff it in a lot of ways). There are a lot of reasons to store the passwords encrypted... And not that much reasons to store them unencrypted - in fact, there is only one good reason that i can think of, and it's the need to retrieve lost passwords, but the best way to do that, is to keep a hardened database of the unencrypted passwords, and use it for this sole purpose. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030603/78456176/attachment.bin
Powered by blists - more mailing lists