Bugtraq mailing list archives

Re: Plain text passwords--necessary

From: tschroed () ACM ORG (Trevor Schroeder)
Date: Mon, 19 Apr 1999 12:59:56 -0500


(Here's hoping this makes it past the censor ;)

On Fri, 16 Apr 1999, Aleph One wrote:

Lots of replies to this message but they all failed to really answer
the questions raised by the original post.


It seems to me that a lot of this could be avoided using tickets similar to
Kerberos.  We have a trusted third party (TTP) that receives your
credentials once and returns a ticket for a set of services with a given
lifetime.  This ticket is good only within a certain context (certain
services, servers, clients, times, dates, you name it and it can be rolled
into the ticket).  That way if the ticket is compromised, it is of limited
use (versus a full blown password with may be useful in other contexts.)

The client could then use the old ticket (before it expires) to get a new
ticket.  That way an attacker cannot get ahold of an unlimited use ticket
but must continue to get new tickets from the client.  (or reveal himself
by registering for his own new tickets).

There is another rule to obey here:  have security levels associated with
your passwords.  This would seem to be a no-brainer, but I guess it's not.
It's usually not very feasible to have a separate password for everything
so people pick a few.  If you do this, delegate one password (or set of
passwords) as low security.  Think about what kind of service this is and
how your password is likely to be stored.  Think about how much damage
could be inflicted if blahblahblah.com accidentally lets out your chat
password.  Don't let passwords for systems with secure password schemes
(such as UNIX) be used for those with insecure schemes such as Netscape.
(Using any of those "remember my password" features violates this nostrum.)

The wisdom of this rule was highlighted by this very same Real Server oops.
In an attempt to demonstrate to a friend that he needed to subscribe to
BugTraq, I logged in and grabbed his RS password.  The disturbing thing is,
I know that it's also a root password on some machines.  Oops, a silly
mistake has now been elevated to a catastrophe.

Otherwise, use a separate password for absolutely everything and record
them securely.  That is to say, PGP encrypt them and take any steps
necessary (such as disk wiping) to insure that it can only be recovered by
someone who has the appropriate private key.

Just my thoughts.
.......................................................................
: Bureaucracy is the enemy of innovation.          : Trevor Schroeder :
:                           -- Mark Sheperd        : tschroed () acm org :
:........... http://www.zweknu.org/ for PGP key and more .............:

Current thread:

Re: Plain text passwords--necessary Francisco M. Marzoa Alonso (Apr 16)
- <Possible follow-ups>
- Re: Plain text passwords--necessary Aleph One (Apr 16)
  - Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
    - Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
    - Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
    - Re: Plain text passwords--necessary Taral (Apr 19)
  - Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
    - bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
    - Re: bug in ssh allowing to be invissible Pete (Apr 20)
    - Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
    - NetBSD Security Advisory 1999-009 matthew green (Apr 20)
    - Bash Bug Shadow (Apr 20)
    - Re: Bash Bug Marc Lehmann (Apr 21)
    - Re: Bash Bug Pavel Kankovsky (Apr 22)
    - Re: Bash Bug Chet Ramey (Apr 22)
    - L0pht Security Advisory: Cold Fusion App Server Weld Pond (Apr 21)
    - Re: Plain text passwords--necessary Densin Roy. (Apr 19)

(Thread continues...)