mailing list archives
Re: Nessus stores credentials in plain text
From: Raymond Morsman <raymond () dyn org>
Date: Sun, 28 Mar 2004 23:27:18 +0200
On Sat, 2004-03-27 at 17:47, ~Kevin Davis³ wrote:
Many people would disagree that storing passwords in plaintext is not a
vulnerability. This includes entities like ISS who were doing the same
thing and once realized it changed it. I don't see how a plaintext username
password is simply "system data" and not also credentials. And guess what?
Nessus itself has several plugins that check for plaintext passwords in
Q: Does Nessus use this data for its own persona-check?
A: No, it uses it for client connections.
Full-Disclosure - We believe in it.