Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: smb () RESEARCH ATT COM (Steven M. Bellovin)
Date: Mon, 19 Apr 1999 17:07:28 -0400
In message <199904191510.LAA03916 () Iodine Mlink NET>, Phillip Vandry writes:
First, plain text passwords are being used is places where they need not be. For example the recent post about the Real Media server storing plain text passwords. There is no reason for the server to store plain text passwords. It can store a hash and authenticate users against the hash.It's the old PAP versus CHAP debate. *YES*, there is reason for the realmedia server to store the password in plaintext (although it should still obfuscate it to prevent accidental viewing). I always like to compare the types of PPP authentication to show this: Method Client Wire Server ------ --------- --------- --------- PAP Clear Clear Encrypted CHAP Clear Encrypted Clear And I don't think we can do better than that. We can encrypt at only one stage of the process. We have to make a tradeoff.
It's certainly possible to do better -- there's a whole family of protocols that do that. See, for example, /http://www.research.att.com/~smb/papers/aeke.ps (or .pdf), which gives encrypted on the wire and at the server. (The predecessor paper is http://www.research.att.com/~smb/papers/neke.ps) There are related protocols by others.
Current thread:
- Re: AOL Instant Messenger URL Crash, (continued)
- Re: AOL Instant Messenger URL Crash Daniel Reed (Apr 20)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
- Bug in Linux Mount Jacek Konieczny (Apr 20)
- Re: Bug in Linux Mount Meelis Roos (Apr 20)
- Re: Plain text passwords--necessary Tom Perrine (Apr 20)