?
Solved

Domino Internet Passwords

Posted on 2011-03-07
9
Medium Priority
?
912 Views
Last Modified: 2013-12-18
Hi,

What are the differences between the dspHTTPPassword and HTTPPassword fields in a person document?

In my directory I have people with either one or the other, or sometime both. If both are there, which one is the internet password considering that they differ?

And finally, if the $SecurePassword field is absent in the person document, how is possible the that the password hash still have the "more secure internet password" hash format?

Thanks in advance
0
Comment
Question by:ralmada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 1500 total points
ID: 35058799
dsp means Display, so I assume the one with dsp is for display purposes only. Normally dspXXX fields shouldn't be saved, it must have slipped through I guess. HTTPPassword is the real thing.

Your second question I don't have the answer to. Sorry. I can only guess that some documents were saved before the new, more secure methods became available.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35059901
hi sjef_bosman,

Thanks for your comment. What do you mean by dspHTTPPassword is for display purpose only?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 35060495
DiSPlay... There are many fields in a Notes form that are used to display a value of another field. For example, a phone number could have been entered as 0123456789, and the dspPhoneNumber field contains a formula to convert it to text, in the format 01-234-56789. The standard field will be visible in edit-mode, the dsp-field in read-mode. The dsp-thing is just a name, it isn't special or so, for Notes.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 41

Author Comment

by:ralmada
ID: 35061082
I see, that would make sense for a telephone field. But what about dspHTTPPassword, why would you require formatting on the password field?

Also you're saying that the real thing is in HTTPPassword, however from
http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

It looks like both could have the password hash. Sorry, I'm a bit confused.
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 1500 total points
ID: 35062015
Haven't the faintest. My abilities as an augur declined rapidly when I had to quit drinking tea: no more leaves to read. Better use a Designer client to find all references to HTTPPassword in the design of the N&A book.

By the way, you often find fields in Notes databases and documents that sort of "linger around". They were created in the past, had their use, and now a new design is applied they lost their meaning. Since there is no real need to remove them they're still there...

And it might have been used by a browser, displaying **** or so. Can you see if those two fields you mentioned often have identical contents?
0
 
LVL 41

Author Comment

by:ralmada
ID: 35065724
>> Can you see if those two fields you mentioned often have identical contents?  << Some do, but only a very few.

0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 1500 total points
ID: 35067983
Interesting document, the one on how to penetrate a Domino system. Did you sufficiently protect the names.nsf database, blocking access to outside users? Anonymous should have No Access. If you have that, attacks can only come from the inside, from someone who already has a name and password to enter the server.

Are you concerned about your own server or are you trying to break in? Btw, any system that allows password hashes to be read by users is vulnerable. It is very hard if not impossible to protect your server from an attack from the inside. One way to protect your system from the outside is to put a separate mail/web server in a DMZ, in a separate domain, with only some databases of minor importance. And of course, always use the Notes client and disallow the use of a browser.

I must confess that Domino security is not one of my stronger points. I hope someone else may take over.
0
 
LVL 10

Assisted Solution

by:doninja
doninja earned 500 total points
ID: 35068495
Just to affirm that Sjef is right (as usual :P )

the DSPxxx field should only appear if you have the document open in a notes client.
If you use a view and select Document Properties you will get a list of fields in the document that don't include the DSPxxx fields.

Removing $SecurePassword from the person form in design, or a created person document does not effect the currently saved httppassword contents but should update next time it is changed.
0
 
LVL 41

Author Closing Comment

by:ralmada
ID: 35069841
Thank you guys!!!

I am currently reviewing the security around our servers and this is really helpful in making my final recommendation.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month10 days, 14 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question