Full Disclosure mailing list archives

Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords

From: Васил Колев <vasil () ludost net>
Date: 03 Jun 2003 21:35:28 +0300

На ?, 2003-06-03 в 18:31, IRCXpro Support записа:

Reply to Feedback from Darren:

Firstly, there has been support for storing passwords, encrypted, in
configuration files on Unix for over 10 years, if not longer.  I can


The reason why IRC servers "IRCD.config" files don't use encryption (see
file attachment for example) is because 49 times out of 50 they do not come
with a GUI program.  Administrators main method of changing the
configuration is to manually edit the file using a notepad utility.


Ok, I'll bite :)
Anyone, who needs a 'gui' to edit it's ircd.conf file, and, because not
having one, uses Notepad, shouldn't be doing it in the first place...
There are a lot of irc networks now, and being ircadmin in one
medium/small network, I can tell you, that every one, who has server in
this network, uses encrypted passwords. They're easy to work with
(although, a little more difficult than plaintext passwords) and
everyone has mkpasswd or something else installed. In fact, if you offer
a gui to config the servers, a lot of people will ask "what's the
problem with the old method?"

Also, there is the issue of knowing someone's password - let's say, that
only one is editing the conf file, and he doesn't need and want to know
the password for every oper there. So what? He just asks them for their
encrypted passwords, and that's all, so even if they reuse the password
that they gave you somewhere, you're safe to say that you didn't use
it/leak it (although you can still sniff it in a lot of ways).

There are a lot of reasons to store the passwords encrypted... And not
that much reasons to store them unencrypted - in fact, there is only one
good reason that i can think of, and it's the need to retrieve lost
passwords, but the best way to do that, is to keep a hardened database
of the unencrypted passwords, and use it for this sole purpose.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords IRCXpro Support (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Michael Osten (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Васил Колев (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Shawn McMahon (Jun 04)
  - RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Mads Tansø (Jun 03)
    - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 03)
- <Possible follow-ups>
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Cushing, David (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords morning_wood (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Pablo Sol� (Jun 04)
- RE: Re: IRCXpro 1.0 - Clear local and default remote admin passwords tido (Jun 04)
  - Re: Re: IRCXpro 1.0 - Clear local and default remote admin passwords Darren Reed (Jun 04)