I'm responding to both messages at once. The notes.id password is logically distinct from the HTTP password. That said, many notes users set the same password in both places. The HTTP password may be either salted or unsalted depending on whether the administrators have configured the server that way. There are two *easy* ways to attack a HTTP password. Throw a dictionary at the @Password(string) function and compare this with the unsalted password from the address book. Alternatively, run a dictionary against a httpd and attempt to login that way. Obviously that will generate buckets of log messages. I hear that there's a crypto-analysis attack on the notes.id+httpd password but you'd have to be smarter than me to make it work. Cracking a .id would be nicer since that may be done offline. In the absense of a regular scripted approach you could fake a machine out and run something that simulates a user moving the mouse and typing at the keyboard. While that'd be a pain and not particularly fast it'll be faster to setup than doing the password checking via the Notes API. Joshua b. Jore ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 15:26:48 PST