Domino Internet Passwords


What are the differences between the dspHTTPPassword and HTTPPassword fields in a person document?

In my directory I have people with either one or the other, or sometime both. If both are there, which one is the internet password considering that they differ?

And finally, if the $SecurePassword field is absent in the person document, how is possible the that the password hash still have the "more secure internet password" hash format?

Thanks in advance
LVL 41
Who is Participating?
Sjef BosmanConnect With a Mentor Groupware ConsultantCommented:
dsp means Display, so I assume the one with dsp is for display purposes only. Normally dspXXX fields shouldn't be saved, it must have slipped through I guess. HTTPPassword is the real thing.

Your second question I don't have the answer to. Sorry. I can only guess that some documents were saved before the new, more secure methods became available.
ralmadaAuthor Commented:
hi sjef_bosman,

Thanks for your comment. What do you mean by dspHTTPPassword is for display purpose only?
Sjef BosmanGroupware ConsultantCommented:
DiSPlay... There are many fields in a Notes form that are used to display a value of another field. For example, a phone number could have been entered as 0123456789, and the dspPhoneNumber field contains a formula to convert it to text, in the format 01-234-56789. The standard field will be visible in edit-mode, the dsp-field in read-mode. The dsp-thing is just a name, it isn't special or so, for Notes.
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

ralmadaAuthor Commented:
I see, that would make sense for a telephone field. But what about dspHTTPPassword, why would you require formatting on the password field?

Also you're saying that the real thing is in HTTPPassword, however from

It looks like both could have the password hash. Sorry, I'm a bit confused.
Sjef BosmanConnect With a Mentor Groupware ConsultantCommented:
Haven't the faintest. My abilities as an augur declined rapidly when I had to quit drinking tea: no more leaves to read. Better use a Designer client to find all references to HTTPPassword in the design of the N&A book.

By the way, you often find fields in Notes databases and documents that sort of "linger around". They were created in the past, had their use, and now a new design is applied they lost their meaning. Since there is no real need to remove them they're still there...

And it might have been used by a browser, displaying **** or so. Can you see if those two fields you mentioned often have identical contents?
ralmadaAuthor Commented:
>> Can you see if those two fields you mentioned often have identical contents?  << Some do, but only a very few.

Sjef BosmanConnect With a Mentor Groupware ConsultantCommented:
Interesting document, the one on how to penetrate a Domino system. Did you sufficiently protect the names.nsf database, blocking access to outside users? Anonymous should have No Access. If you have that, attacks can only come from the inside, from someone who already has a name and password to enter the server.

Are you concerned about your own server or are you trying to break in? Btw, any system that allows password hashes to be read by users is vulnerable. It is very hard if not impossible to protect your server from an attack from the inside. One way to protect your system from the outside is to put a separate mail/web server in a DMZ, in a separate domain, with only some databases of minor importance. And of course, always use the Notes client and disallow the use of a browser.

I must confess that Domino security is not one of my stronger points. I hope someone else may take over.
doninjaConnect With a Mentor Commented:
Just to affirm that Sjef is right (as usual :P )

the DSPxxx field should only appear if you have the document open in a notes client.
If you use a view and select Document Properties you will get a list of fields in the document that don't include the DSPxxx fields.

Removing $SecurePassword from the person form in design, or a created person document does not effect the currently saved httppassword contents but should update next time it is changed.
ralmadaAuthor Commented:
Thank you guys!!!

I am currently reviewing the security around our servers and this is really helpful in making my final recommendation.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.