>On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian <peterat_private> wrote. >Problem: > >While crypt password authentication is not in and of itself very secure, >Network Sulotions have made it even less so by including the first two >characters of the password as the salt of the encrypted form. While the >password is transmitted via a secure session, the encrypted form is >returned almost immediately in a non-encrypted www session. Also, this >password is typically emailed back and forth to the user no less than two >times (and often times more). This allows several opportunities for >someone to observe the encrypted password, this in and of itself is not >good. <snip> Peter, great call, I was actually going to post about this myself, but wasn't sure if this list was the right place for the NS web-based stuff. There are some additional concerns about their Crypt-PW solution, (which I've mentioned to them, and they've not done anything about it)... 1) Even though Crypt-PW is supposedly a replacement for MAIL-TO, you still must have a valid email address to use Crypt-PW...so what IS the point of having Crypt-PW? (Especially as it's not secure) 2) If you do NOT have a valid email address (i.e. dropped account, ect) NS emails the completed forms (with the entire Auth password) to the address anyway. If, especially in the case of some ISPs, they have 'reused' the login after an extended amount of time, they've just emailed someone else your encrypted password for your domain. If not, it's going to go into the admin no-relay logs, leaving it open to abuse by someone with access to the mail host. And, not to leave out Peter's mention of the fact that they are sending the cleartext mail (with the password) where anyone can view it. Workarounds...do NOT use Crypt-PW as an authentication, and insure that you change your domain records *before* losing the account, as Crypt-PW will not allow you to access or change records if you do not still own the email address. Cheers! Jan Kohl
This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 16:07:08 PDT