[12505] in bugtraq
Re: Insecure handling of NetSol maintainer passwords
daemon@ATHENA.MIT.EDU (Jefferson Ogata)
Wed Nov 10 12:04:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <38287ADC.23E073B2@nodc.noaa.gov>
Date: Tue, 9 Nov 1999 14:49:48 -0500
Reply-To: jogata@NODC.NOAA.GOV
From: Jefferson Ogata <jogata@NODC.NOAA.GOV>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I have also noticed a problem with Network Solutions' handling of passwords for
CRYPT-PW authentication: when you submit the password initially, the form they
generate with their New Contact Form web system runs the password you enter
through crypt(), but the first two characters of the encrypted value (the salt)
are the same as the first two characters of the password, indicating they use
the password as its own salt. This dramatically limits the usefulness of
encrypting the password in the first place, since you've already given away the
first two characters, and probably hamstrung the whole algorithm at the same
time. (More advanced crypto people than I can comment on this.) In any case,
this is definitely the wrong way to do it.
I re-encrypted my password with different salt when submitting it and this
appeared to work fine. But Network Solutions should be generating a random salt
value; not storing a portion of the password unencrypted in their database as
the salt. Most people won't even notice, and very few will know how to generate
their own properly salted value.
--
Jefferson Ogata <jogata@nodc.noaa.gov> National Oceanographic Data Center
You can't step into the same river twice. -- Herakleitos
