?
Solved

Encrypting Notes ID password

Posted on 2004-08-25
6
Medium Priority
?
222 Views
Last Modified: 2013-12-18
Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.

also, how can I do same with Domino webmail?...would https help here?
0
Comment
Question by:isltt
6 Comments
 
LVL 19

Expert Comment

by:madheeswar
ID: 11899661
you mean hackers can hack user name and passwords from Domino Directory?

Then hide ($Users) view in Domino Directory(names.nsf).

And use high security pwds.
0
 
LVL 15

Accepted Solution

by:
Bozzie4 earned 1500 total points
ID: 11899833
1. the Notes ID password is encrypted, and is not sent over the wire to the server.  You effectively authenticate against the id file (password is not stored on the server).
2. for the Web password, there is a different story :

- since you do send the password over the wire, it's best to use SSL.  Passwords will not be sniffed then.  You should make your users login to an ssl-enabled database, and also use ssl to access their mailfiles (webmail/inotes)
- since the default encryption on the password field is rather bad (easily crackable using a dictonary attack), you should use the "More secure password format".  Set this in the Directory Profile (in  the names.nsf).  
- it stays vital that you protect your names.nsf : only allow (at max) author access to your own people within your organization (so they can edit their own person document).  Default access should be 'no access', anonmymous access should be 'no access'.  Hiding the ($Users) view will not help, btw - there are enough other views.  
- Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider using ssl here too.

cheers,

Tom

0
 
LVL 19

Expert Comment

by:RanjeetRain
ID: 11903451
>> Is there a way to encrypt the Notes ID password? I'd like to prevent someone with a packet sniffer from 'collecting' my Notes users passwords.
You don't need to. Notes doesn't send plain text passwords.

>> also, how can I do same with Domino webmail?...would https help here?
Use SSL. Easiest and the bestest method.

0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 15

Expert Comment

by:Bozzie4
ID: 11910401
And also use session authentication - this also reduces the amount of username-password information sent over the wire.  If you enable SSL (you should) it's still possible you won't enable SSL on all databases.  And if you then switch to a now-ssl database, in basic authentication, your password is again sent as 'almost' clear text over the wire (it's not really clear, but the encryption is so weak everybody can break it)

cheers,

Tom
0
 
LVL 31

Expert Comment

by:qwaletee
ID: 11932464
Hi Bozzie4,
> - Also watch out when using LDAP : make sure to protect what anonymous ldap queries can do, and consider
> using ssl here too.

The default does NOT allow anonymous access to HTTPPassword

Cheers!
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 11932674
Yep, that's true, but you still don't want to make all your usernames etc. public.

tnx

Tom
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question