| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <001301c413fa$0ca072d0$2a29a8c0@fastguy> From: kevin.davis at mindless.com (~Kevin DavisĀ³) Subject: Nessus stores credentials in plain text Many people would disagree that storing passwords in plaintext is not a vulnerability. This includes entities like ISS who werre doing the same thing and once realized it changed it. For many, it is not a matter of merely being "nice" to encrypt plaintext passwords, but a requirement. You are giving the keys to the kingdom away for free here. ----- Original Message ----- From: "Raymond Morsman" <raymond@....org> To: "~Kevin Davis?" <computerguy@....rr.com> Cc: <full-disclosure@...ts.netsys.com> Sent: Saturday, March 27, 2004 4:08 AM Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text > On Sat, 2004-03-27 at 06:01, ~Kevin Davis? wrote: > > I have posted this issue to a couple entities like bugtraq and CERT > > with no response. I mentioned this issue to an organization > > And so it should be. These are not vulnerabilities in the pure sense of > the word. > > What you call credentials are nothing more than system data for Nessus > and therefore not an issue for Nessus. > > You can't use MD5 on systemdata. > > However, I must agree that it would be nice if this information would be > encrypted with the users password. > > Raymond. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists