Domino "vulnerability" with weak internet passwords… again.

I’m not sure why this Domino vulnerability is getting any press whatsoever. Basically, if your default setting on the names.nsf is Reader, you can find out the internet password of someone. At least the encrypted representation of one.

Now, any good Domino admin knows that the internet passwords on Domino are weakly encoded. Basically, as it says in the vulnerability, “355E98E7C7B59BD810ED845AD0FD2FC4” is the word “password” no matter which person document it resides in. This is OLD OLD news. Lotus even provided an agent in the address book, early on in R5 I believe, that allows you to “Upgrade to a more secure internet password.” You can even set it up in your directories profile doc to always have new users created with that type of password. It hashes the password and makes it then very hard to break.

Now, if you are an admin worth your salt (a little hashing humor there) you would also NEVER have your Domino Directory set to a default of reader. People would have to authenticate. Now once they were authenticated, they COULD still see the information in that field, but if you have the more secure internet password, that becomes a moot point.

So this thing has been around forever, so I dunno why it’s garnering anything now, but I guess for new admins, it’s a good lesson. Check out IBM’s technote on this Domino “vulnerability” and make sure you have your servers secured.

If you don’t, you deserve to be hacked.