Solved

Domino Internet Passwords

Posted on 2011-03-07
9
908 Views
Last Modified: 2013-12-18
Hi,

What are the differences between the dspHTTPPassword and HTTPPassword fields in a person document?

In my directory I have people with either one or the other, or sometime both. If both are there, which one is the internet password considering that they differ?

And finally, if the $SecurePassword field is absent in the person document, how is possible the that the password hash still have the "more secure internet password" hash format?

Thanks in advance
0
Comment
Question by:ralmada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 375 total points
ID: 35058799
dsp means Display, so I assume the one with dsp is for display purposes only. Normally dspXXX fields shouldn't be saved, it must have slipped through I guess. HTTPPassword is the real thing.

Your second question I don't have the answer to. Sorry. I can only guess that some documents were saved before the new, more secure methods became available.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35059901
hi sjef_bosman,

Thanks for your comment. What do you mean by dspHTTPPassword is for display purpose only?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 35060495
DiSPlay... There are many fields in a Notes form that are used to display a value of another field. For example, a phone number could have been entered as 0123456789, and the dspPhoneNumber field contains a formula to convert it to text, in the format 01-234-56789. The standard field will be visible in edit-mode, the dsp-field in read-mode. The dsp-thing is just a name, it isn't special or so, for Notes.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 41

Author Comment

by:ralmada
ID: 35061082
I see, that would make sense for a telephone field. But what about dspHTTPPassword, why would you require formatting on the password field?

Also you're saying that the real thing is in HTTPPassword, however from
http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

It looks like both could have the password hash. Sorry, I'm a bit confused.
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 375 total points
ID: 35062015
Haven't the faintest. My abilities as an augur declined rapidly when I had to quit drinking tea: no more leaves to read. Better use a Designer client to find all references to HTTPPassword in the design of the N&A book.

By the way, you often find fields in Notes databases and documents that sort of "linger around". They were created in the past, had their use, and now a new design is applied they lost their meaning. Since there is no real need to remove them they're still there...

And it might have been used by a browser, displaying **** or so. Can you see if those two fields you mentioned often have identical contents?
0
 
LVL 41

Author Comment

by:ralmada
ID: 35065724
>> Can you see if those two fields you mentioned often have identical contents?  << Some do, but only a very few.

0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 375 total points
ID: 35067983
Interesting document, the one on how to penetrate a Domino system. Did you sufficiently protect the names.nsf database, blocking access to outside users? Anonymous should have No Access. If you have that, attacks can only come from the inside, from someone who already has a name and password to enter the server.

Are you concerned about your own server or are you trying to break in? Btw, any system that allows password hashes to be read by users is vulnerable. It is very hard if not impossible to protect your server from an attack from the inside. One way to protect your system from the outside is to put a separate mail/web server in a DMZ, in a separate domain, with only some databases of minor importance. And of course, always use the Notes client and disallow the use of a browser.

I must confess that Domino security is not one of my stronger points. I hope someone else may take over.
0
 
LVL 10

Assisted Solution

by:doninja
doninja earned 125 total points
ID: 35068495
Just to affirm that Sjef is right (as usual :P )

the DSPxxx field should only appear if you have the document open in a notes client.
If you use a view and select Document Properties you will get a list of fields in the document that don't include the DSPxxx fields.

Removing $SecurePassword from the person form in design, or a created person document does not effect the currently saved httppassword contents but should update next time it is changed.
0
 
LVL 41

Author Closing Comment

by:ralmada
ID: 35069841
Thank you guys!!!

I am currently reviewing the security around our servers and this is really helpful in making my final recommendation.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question