Solved

Domino Internet Passwords

Posted on 2011-03-07
9
878 Views
Last Modified: 2013-12-18
Hi,

What are the differences between the dspHTTPPassword and HTTPPassword fields in a person document?

In my directory I have people with either one or the other, or sometime both. If both are there, which one is the internet password considering that they differ?

And finally, if the $SecurePassword field is absent in the person document, how is possible the that the password hash still have the "more secure internet password" hash format?

Thanks in advance
0
Comment
Question by:ralmada
  • 4
  • 4
9 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 375 total points
ID: 35058799
dsp means Display, so I assume the one with dsp is for display purposes only. Normally dspXXX fields shouldn't be saved, it must have slipped through I guess. HTTPPassword is the real thing.

Your second question I don't have the answer to. Sorry. I can only guess that some documents were saved before the new, more secure methods became available.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35059901
hi sjef_bosman,

Thanks for your comment. What do you mean by dspHTTPPassword is for display purpose only?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 35060495
DiSPlay... There are many fields in a Notes form that are used to display a value of another field. For example, a phone number could have been entered as 0123456789, and the dspPhoneNumber field contains a formula to convert it to text, in the format 01-234-56789. The standard field will be visible in edit-mode, the dsp-field in read-mode. The dsp-thing is just a name, it isn't special or so, for Notes.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35061082
I see, that would make sense for a telephone field. But what about dspHTTPPassword, why would you require formatting on the password field?

Also you're saying that the real thing is in HTTPPassword, however from
http://dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Lotus_Domino).pdf

It looks like both could have the password hash. Sorry, I'm a bit confused.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 375 total points
ID: 35062015
Haven't the faintest. My abilities as an augur declined rapidly when I had to quit drinking tea: no more leaves to read. Better use a Designer client to find all references to HTTPPassword in the design of the N&A book.

By the way, you often find fields in Notes databases and documents that sort of "linger around". They were created in the past, had their use, and now a new design is applied they lost their meaning. Since there is no real need to remove them they're still there...

And it might have been used by a browser, displaying **** or so. Can you see if those two fields you mentioned often have identical contents?
0
 
LVL 41

Author Comment

by:ralmada
ID: 35065724
>> Can you see if those two fields you mentioned often have identical contents?  << Some do, but only a very few.

0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 375 total points
ID: 35067983
Interesting document, the one on how to penetrate a Domino system. Did you sufficiently protect the names.nsf database, blocking access to outside users? Anonymous should have No Access. If you have that, attacks can only come from the inside, from someone who already has a name and password to enter the server.

Are you concerned about your own server or are you trying to break in? Btw, any system that allows password hashes to be read by users is vulnerable. It is very hard if not impossible to protect your server from an attack from the inside. One way to protect your system from the outside is to put a separate mail/web server in a DMZ, in a separate domain, with only some databases of minor importance. And of course, always use the Notes client and disallow the use of a browser.

I must confess that Domino security is not one of my stronger points. I hope someone else may take over.
0
 
LVL 10

Assisted Solution

by:doninja
doninja earned 125 total points
ID: 35068495
Just to affirm that Sjef is right (as usual :P )

the DSPxxx field should only appear if you have the document open in a notes client.
If you use a view and select Document Properties you will get a list of fields in the document that don't include the DSPxxx fields.

Removing $SecurePassword from the person form in design, or a created person document does not effect the currently saved httppassword contents but should update next time it is changed.
0
 
LVL 41

Author Closing Comment

by:ralmada
ID: 35069841
Thank you guys!!!

I am currently reviewing the security around our servers and this is really helpful in making my final recommendation.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now