[10262] in bugtraq
Re: Plain text passwords--necessary
daemon@ATHENA.MIT.EDU (Phillip Vandry)
Mon Apr 19 14:24:38 1999
Date: Mon, 19 Apr 1999 11:10:20 -0400
Reply-To: Phillip Vandry <vandry@MLINK.NET>
From: Phillip Vandry <vandry@MLINK.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 16 Apr 1999 13:14:59 EDT."
<19990416131459.K2282@underground.org>
> First, plain text passwords are being used is places where they need not
> be. For example the recent post about the Real Media server storing
> plain text passwords. There is no reason for the server to store
> plain text passwords. It can store a hash and authenticate users
> against the hash.
It's the old PAP versus CHAP debate. *YES*, there is reason for the
realmedia server to store the password in plaintext (although it
should still obfuscate it to prevent accidental viewing). I always
like to compare the types of PPP authentication to show this:
Method Client Wire Server
------ --------- --------- ---------
PAP Clear Clear Encrypted
CHAP Clear Encrypted Clear
And I don't think we can do better than that. We can encrypt at only one
stage of the process. We have to make a tradeoff.
(Not that I'm saying RealMedia uses the CHAP model and encrypts over the
wire. It probably doesn't, and if that it the case, then it is indeed
stupid.)
-Phil
