Encrypting Notes ID password

Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.

also, how can I do same with Domino webmail?...would https help here?
islttAsked:
Who is Participating?
 
Bozzie4Connect With a Mentor Commented:
1. the Notes ID password is encrypted, and is not sent over the wire to the server.  You effectively authenticate against the id file (password is not stored on the server).
2. for the Web password, there is a different story :

- since you do send the password over the wire, it's best to use SSL.  Passwords will not be sniffed then.  You should make your users login to an ssl-enabled database, and also use ssl to access their mailfiles (webmail/inotes)
- since the default encryption on the password field is rather bad (easily crackable using a dictonary attack), you should use the "More secure password format".  Set this in the Directory Profile (in  the names.nsf).  
- it stays vital that you protect your names.nsf : only allow (at max) author access to your own people within your organization (so they can edit their own person document).  Default access should be 'no access', anonmymous access should be 'no access'.  Hiding the ($Users) view will not help, btw - there are enough other views.  
- Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider using ssl here too.

cheers,

Tom

0
 
madheeswarCommented:
you mean hackers can hack user name and passwords from Domino Directory?

Then hide ($Users) view in Domino Directory(names.nsf).

And use high security pwds.
0
 
RanjeetRainCommented:
>> Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.
You don't need to. Notes doesn't send plain text passwords.

>> also, how can I do same with Domino webmail?...would https help here?
Use SSL. Easiest and the bestest method.

0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
Bozzie4Commented:
And also use session authentication - this also reduces the amount of username-password information sent over the wire.  If you enable SSL (you should) it's still possible you won't enable SSL on all databases.  And if you then switch to a now-ssl database, in basic authentication, your password is again sent as 'almost' clear text over the wire (it's not really clear, but the encryption is so weak everybody can break it)

cheers,

Tom
0
 
qwaleteeCommented:
Hi Bozzie4,
> - Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider
> using ssl here too.

The default does NOT allow anonymous access to HTTPPassword

Cheers!
0
 
Bozzie4Commented:
Yep, that's true, but you still don't want to make all your usernames etc. public.

tnx

Tom
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.