BIND 10 #2716: password in ~/.bind10/default_user.csv is cleartext
BIND 10 Development
do-not-reply at isc.org
Mon Feb 18 08:53:38 UTC 2013
#2716: password in ~/.bind10/default_user.csv is cleartext
-------------------------------------+-------------------------------------
Reporter: cas | Owner:
Type: defect | Status: new
Priority: medium | Milestone: Next-
Component: Unclassified | Sprint-Proposed
Keywords: | Resolution:
Sensitive: 0 | CVSS Scoring:
Sub-Project: DNS | Defect Severity: N/A
Estimated Difficulty: 0 | Feature Depending on Ticket:
Total Hours: 0 | Add Hours to Ticket: 0
| Internal?: 0
-------------------------------------+-------------------------------------
Comment (by cas):
I did some research on the server side use of the .htdigest format. To me
it looks like the htdigest format is quite outdated and not a good choice
for software such as BIND 10 that has a lifetime of 10+ years ahead.
the htdigest format encrypts passwords using either the OS "crypt"
function, MD5 or SHA1. Only when using "crypt", the password is augmented
with a random salt (12bit), but truncated to 8 bytes. That is to my
knowledge too weak, it is reversible with modern hardware.
MD5 and SHA1 password hashes are stored without salt. So attackers could
use rainbow tables to reverse the the hashes to get the original clear-
text passwords.
I'm not an expert on crypto, so I might be wrong on this.
This page has some background information on the password storage:
http://crackstation.net/hashing-security.htm
--
Ticket URL: <http://bind10.isc.org/ticket/2716#comment:8>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list