Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability

From: Chris Adams (cmadamsat_private)
Date: Fri Jun 08 2001 - 12:25:46 PDT

Next message: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"

Previous message: David F. Skoll: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Once upon a time, Peter Ajamian <peterat_private> said:
> While crypt password authentication is not in and of itself very secure,
> Network Sulotions have made it even less so by including the first two
> characters of the password as the salt of the encrypted form.  While the

This is not new; I believe that it has come up before.

> If you must use CRYPT-PW then the following suggestions are recommended:
>  - Password should be at least 10 characters in length.

Pointless, as the algorithm will only look at 8 characters.

>  - The password should contain a combination of upper and lower case as
> well as numbers and preferably some other symbols.
>  - Do not use any dictionary words, proper names, or other easily
> recognizable character sequences or forms of them in your password.

Those are general good password recommendations.

>  - The first two characters of your password should be _completely_
> unrelated to the rest of the password and should not provide any hints as
> to what the balance of the password may be.

Good idea.

>  - If you have access to and know how to use your own crypt generating
> program you should be able to substitute your own encryption for that
> provided by Network Solutions on the form.  If you can do this it is
> recommended that you use a random salt to generate your password or at
> least one that is unrelated to the password itself (note I did not test
> this to see if Network Solutions would accept such a substitution of
> passwords on thier form but the method by which the scheme is implemented
> suggests that it should work) (note if you try this you may have to
> convince Network Solutions phone reps to try the password even though the
> first two characters don't match when you give the password over the
> phone).

Doing the crypt yourself is a bad idea (I did this).  Every time we've
had to get on the phone with them, they would NOT accept that the first
two characters of the password were not the same as the first two
characters of the encrypted password.  We have to go back and find the
encryped version and give them the first two characters of that.

This also means that anyone with your encrypted password can probably
call up and have changes made (since they know what NetSol believes is
the first two characters).
-- 
Chris Adams <cmadamsat_private>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Next message: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Previous message: David F. Skoll: "RE: SECURITY.NNOV: Outlook Express address book spoofing"
In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Next in thread: Len Sassaman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 15:12:09 PDT