Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Network Solutions Crypt-PW Authentication-Scheme vulnerability
From: Peter van Dijk <peter () dataloss nl>
Date: Sat, 9 Jun 2001 00:40:59 +0200

On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
computer.  A new 1ghz computer could easily crank out 6 char passwords in
mere seconds, 8 char passwords in a few hours, and a 10 char password
probably in a week to a month or better.

crypt() passwords are never more than 8 characters - anything beyond
8 characters is discarded.

Possible Workarounds:

Do not use the Crypt-PW authentication-scheme.  Instead use the MAIL_FROM
or PGP scheme instead.

MAIL_FROM is even less secure than CRYPT-PW. Use PGP :)

If you must use CRYPT-PW then the following suggestions are recommended:
 - Password should be at least 10 characters in length.

Again, anything over 8 is useless.

All in all NetSol still hasn't learned.

Greetz, Peter.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]