Domino HTTP Password Hash

About 5 years ago, yes 5 years ago, this vulnerability was posted at Defcon 8. The basic issue is that a persons Domino Internet Password Hash can be stolen and de-crypted.
Basically your hash for the internet password is stored in a field in the person document.

The problem is I still see this vulnerability in environments today.

The has you see there is the hash for “1234test”. Then some simple Lotus Formula using the @Password command for “1234test” hashes to the same string. This is true of any Domino server (including Domino 7.0) with out of the box configuration.

The main problem here is with a brute force or dictionary attack from you have a very simple way of identifying a users password. So you have someone with access to your Domino directory and they steal a hash, what is the problem?

Well, if the password is that of one of your administrators and you allow administration of Domino using a browser OR you have browser enabled email and they get the password of your managing director, then you have a big problem. Not to mention the drive to synchronise passwords for multiple systems!!

So what is the technically difficult solution that prevents this problem by salting the password?

Select the users in the address book, select Actions – Update to a more secure internet password.

Really that is it. So I am dumbfounded by the lack of action for the large company I have informed……..please check your environments if this is the first time you have read about this issue.

2 Comments

  1. Hi Master, am I correct that the problem also happens in R7? That means, I can use @password of R7 client to find the hash value of the httppassword? Thanks.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s