Solved

Encrypting Notes ID password

Posted on 2004-08-25
6
217 Views
Last Modified: 2013-12-18
Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.

also, how can I do same with Domino webmail?...would https help here?
0
Comment
Question by:isltt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 19

Expert Comment

by:madheeswar
ID: 11899661
you mean hackers can hack user name and passwords from Domino Directory?

Then hide ($Users) view in Domino Directory(names.nsf).

And use high security pwds.
0
 
LVL 15

Accepted Solution

by:
Bozzie4 earned 500 total points
ID: 11899833
1. the Notes ID password is encrypted, and is not sent over the wire to the server.  You effectively authenticate against the id file (password is not stored on the server).
2. for the Web password, there is a different story :

- since you do send the password over the wire, it's best to use SSL.  Passwords will not be sniffed then.  You should make your users login to an ssl-enabled database, and also use ssl to access their mailfiles (webmail/inotes)
- since the default encryption on the password field is rather bad (easily crackable using a dictonary attack), you should use the "More secure password format".  Set this in the Directory Profile (in  the names.nsf).  
- it stays vital that you protect your names.nsf : only allow (at max) author access to your own people within your organization (so they can edit their own person document).  Default access should be 'no access', anonmymous access should be 'no access'.  Hiding the ($Users) view will not help, btw - there are enough other views.  
- Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider using ssl here too.

cheers,

Tom

0
 
LVL 19

Expert Comment

by:RanjeetRain
ID: 11903451
>> Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.
You don't need to. Notes doesn't send plain text passwords.

>> also, how can I do same with Domino webmail?...would https help here?
Use SSL. Easiest and the bestest method.

0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 15

Expert Comment

by:Bozzie4
ID: 11910401
And also use session authentication - this also reduces the amount of username-password information sent over the wire.  If you enable SSL (you should) it's still possible you won't enable SSL on all databases.  And if you then switch to a now-ssl database, in basic authentication, your password is again sent as 'almost' clear text over the wire (it's not really clear, but the encryption is so weak everybody can break it)

cheers,

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 11932464
Hi Bozzie4,
> - Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider
> using ssl here too.

The default does NOT allow anonymous access to HTTPPassword

Cheers!
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11932674
Yep, that's true, but you still don't want to make all your usernames etc. public.

tnx

Tom
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question