[Xitami] Plaintext passwords on Bugtraq (again)

niall munnelly xitami@lists.xitami.org
Fri, 21 Jun 2002 21:28:39 -0500

Previous message: [Xitami] Plaintext passwords on Bugtraq (again)
Next message: [Xitami] Plaintext passwords on Bugtraq (again)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Imatix,
> 
> Why were the passwords in the configuration files (default.aut, 
> ftpusers.aut, etc.) left in plaintext? Is there any plan to change that?
> 
> 
> Mike

it's in the FAQ.

http://WWW.YOUR_DOMAIN.COM/xitami/index18.htm

7: Why is the password file not encrypted?
In general if access to your server is secure, then the lack of encryption is
not a problem. If someone can read the Xitami directory on your system, they
can see the 
passwords. Note that even if you use a hashed password file, it is often
trivial to discover passwords using a dictionary-based attack. It's therefore
much better to concentrate 
on hiding the password file than on encrypting it. At some future date,
Xitami will support encrypted (hashed) passwords. 


there you go.  if people have access to the localhost, you've got bigger
problems that plaintext passwords.

-- 
yours,
niall.
.. .  .   .    .     .       .           .             .                 .
aleph null.                             a simple insinuation around silence.
see: http://www.vietnambla.com          hear: http://radio.vietnambla.com

.. .bebox.audio. ..
playing now:  sketch - sway - reasons to sway

Previous message: [Xitami] Plaintext passwords on Bugtraq (again)
Next message: [Xitami] Plaintext passwords on Bugtraq (again)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]