[20950] in bugtraq
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Sun Jun 10 19:21:23 2001
Date: Sat, 9 Jun 2001 00:40:59 +0200
From: Peter van Dijk <peter@dataloss.nl>
To: bugtraq@securityfocus.com
Message-ID: <20010609004058.A47937@dataloss.nl>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B2080BE.59D691D8@pajamian.dhs.org>; from peter@pajamian.dhs.org on Fri, Jun 08, 2001 at 12:37:34AM -0700
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
[snip]
> computer. A new 1ghz computer could easily crank out 6 char passwords in
> mere seconds, 8 char passwords in a few hours, and a 10 char password
> probably in a week to a month or better.
crypt() passwords are never more than 8 characters - anything beyond
8 characters is discarded.
[snip]
> Possible Workarounds:
>
> Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM
> or PGP scheme instead.
MAIL_FROM is even less secure than CRYPT-PW. Use PGP :)
> If you must use CRYPT-PW then the following suggestions are recommended:
> - Password should be at least 10 characters in length.
Again, anything over 8 is useless.
All in all NetSol still hasn't learned.
Greetz, Peter.
