Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability

• Previous message: jkohl: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Next in thread: Wichert Akkerman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Reply: Wichert Akkerman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
[snip]
> computer.  A new 1ghz computer could easily crank out 6 char passwords in
> mere seconds, 8 char passwords in a few hours, and a 10 char password
> probably in a week to a month or better.

crypt() passwords are never more than 8 characters - anything beyond
8 characters is discarded.

[snip]
> Possible Workarounds:
> 
> Do not use the Crypt-PW authentication-scheme.  Instead use the MAIL_FROM
> or PGP scheme instead.

MAIL_FROM is even less secure than CRYPT-PW. Use PGP :)

> If you must use CRYPT-PW then the following suggestions are recommended:
>  - Password should be at least 10 characters in length.

Again, anything over 8 is useless.

All in all NetSol still hasn't learned.

Greetz, Peter.

• Next message: Tyler Walden: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Previous message: jkohl: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• In reply to: Peter Ajamian: "Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Next in thread: Wichert Akkerman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Reply: Wichert Akkerman: "Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 10 2001 - 16:21:39 PDT