• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 921
  • Last Modified:

Domino Internet Passwords

Hi,

What are the differences between the dspHTTPPassword and HTTPPassword fields in a person document?

In my directory I have people with either one or the other, or sometime both. If both are there, which one is the internet password considering that they differ?

And finally, if the $SecurePassword field is absent in the person document, how is possible the that the password hash still have the "more secure internet password" hash format?

Thanks in advance
0
ralmada
Asked:
ralmada
  • 4
  • 4
4 Solutions
 
Sjef BosmanGroupware ConsultantCommented:
dsp means Display, so I assume the one with dsp is for display purposes only. Normally dspXXX fields shouldn't be saved, it must have slipped through I guess. HTTPPassword is the real thing.

Your second question I don't have the answer to. Sorry. I can only guess that some documents were saved before the new, more secure methods became available.
0
 
ralmadaAuthor Commented:
hi sjef_bosman,

Thanks for your comment. What do you mean by dspHTTPPassword is for display purpose only?
0
 
Sjef BosmanGroupware ConsultantCommented:
DiSPlay... There are many fields in a Notes form that are used to display a value of another field. For example, a phone number could have been entered as 0123456789, and the dspPhoneNumber field contains a formula to convert it to text, in the format 01-234-56789. The standard field will be visible in edit-mode, the dsp-field in read-mode. The dsp-thing is just a name, it isn't special or so, for Notes.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ralmadaAuthor Commented:
I see, that would make sense for a telephone field. But what about dspHTTPPassword, why would you require formatting on the password field?

Also you're saying that the real thing is in HTTPPassword, however from
http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

It looks like both could have the password hash. Sorry, I'm a bit confused.
0
 
Sjef BosmanGroupware ConsultantCommented:
Haven't the faintest. My abilities as an augur declined rapidly when I had to quit drinking tea: no more leaves to read. Better use a Designer client to find all references to HTTPPassword in the design of the N&A book.

By the way, you often find fields in Notes databases and documents that sort of "linger around". They were created in the past, had their use, and now a new design is applied they lost their meaning. Since there is no real need to remove them they're still there...

And it might have been used by a browser, displaying **** or so. Can you see if those two fields you mentioned often have identical contents?
0
 
ralmadaAuthor Commented:
>> Can you see if those two fields you mentioned often have identical contents?  << Some do, but only a very few.

0
 
Sjef BosmanGroupware ConsultantCommented:
Interesting document, the one on how to penetrate a Domino system. Did you sufficiently protect the names.nsf database, blocking access to outside users? Anonymous should have No Access. If you have that, attacks can only come from the inside, from someone who already has a name and password to enter the server.

Are you concerned about your own server or are you trying to break in? Btw, any system that allows password hashes to be read by users is vulnerable. It is very hard if not impossible to protect your server from an attack from the inside. One way to protect your system from the outside is to put a separate mail/web server in a DMZ, in a separate domain, with only some databases of minor importance. And of course, always use the Notes client and disallow the use of a browser.

I must confess that Domino security is not one of my stronger points. I hope someone else may take over.
0
 
doninjaCommented:
Just to affirm that Sjef is right (as usual :P )

the DSPxxx field should only appear if you have the document open in a notes client.
If you use a view and select Document Properties you will get a list of fields in the document that don't include the DSPxxx fields.

Removing $SecurePassword from the person form in design, or a created person document does not effect the currently saved httppassword contents but should update next time it is changed.
0
 
ralmadaAuthor Commented:
Thank you guys!!!

I am currently reviewing the security around our servers and this is really helpful in making my final recommendation.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now