lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <001301c413fa$0ca072d0$2a29a8c0@fastguy>
From: kevin.davis at mindless.com (~Kevin DavisĀ³)
Subject: Nessus stores credentials in plain text

Many people would disagree that storing passwords in plaintext is not a
vulnerability.  This includes entities like ISS who werre doing the same
thing and once realized it changed it.  For many, it is not a matter of
merely being "nice" to encrypt plaintext passwords, but a requirement.  You
are giving the keys to the kingdom away for free here.

----- Original Message ----- 
From: "Raymond Morsman" <raymond@....org>
To: "~Kevin Davis?" <computerguy@....rr.com>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Saturday, March 27, 2004 4:08 AM
Subject: Re: [Full-Disclosure] Nessus stores credentials in plain text


> On Sat, 2004-03-27 at 06:01, ~Kevin Davis? wrote:
> > I have posted this issue to a couple entities like bugtraq and CERT
> > with no response.  I mentioned this issue to an organization
>
> And so it should be. These are not vulnerabilities in the pure sense of
> the word.
>
> What you call credentials are nothing more than system data for Nessus
> and therefore not an issue for Nessus.
>
> You can't use MD5 on systemdata.
>
> However, I must agree that it would be nice if this information would be
> encrypted with the users password.
>
> Raymond.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ