mailing list archives
Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Chris Adams <cmadams () hiwaay net>
Date: Fri, 8 Jun 2001 14:25:46 -0500
Once upon a time, Peter Ajamian <peter () pajamian dhs org> said:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
This is not new; I believe that it has come up before.
If you must use CRYPT-PW then the following suggestions are recommended:
- Password should be at least 10 characters in length.
Pointless, as the algorithm will only look at 8 characters.
- The password should contain a combination of upper and lower case as
well as numbers and preferably some other symbols.
- Do not use any dictionary words, proper names, or other easily
recognizable character sequences or forms of them in your password.
Those are general good password recommendations.
- The first two characters of your password should be _completely_
unrelated to the rest of the password and should not provide any hints as
to what the balance of the password may be.
- If you have access to and know how to use your own crypt generating
program you should be able to substitute your own encryption for that
provided by Network Solutions on the form. If you can do this it is
recommended that you use a random salt to generate your password or at
least one that is unrelated to the password itself (note I did not test
this to see if Network Solutions would accept such a substitution of
passwords on thier form but the method by which the scheme is implemented
suggests that it should work) (note if you try this you may have to
convince Network Solutions phone reps to try the password even though the
first two characters don't match when you give the password over the
Doing the crypt yourself is a bad idea (I did this). Every time we've
had to get on the phone with them, they would NOT accept that the first
two characters of the password were not the same as the first two
characters of the encrypted password. We have to go back and find the
encryped version and give them the first two characters of that.
This also means that anyone with your encrypted password can probably
call up and have changes made (since they know what NetSol believes is
the first two characters).
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.