[Xitami] Plaintext passwords on Bugtraq (again)

[Pieter Hintjens]

Michael Burns <mburns83@directvinternet.com> wrote:

> Imatix,
> 
> Why were the passwords in the configuration files (default.aut, 
> ftpusers.aut, etc.) left in plaintext? Is there any plan to change
> that?

I think the FAQ answers the 'why', and I don't see any flaws in the 
original reasoning: if someone can read your password files, then (a) 
they can use dictionary-based attacks, and (b) your general security 
has been compromised and that is much more serious than whether the 
passwords are hashed or not (and the extra hour or two that takes for 
someone to crack enough of them to get into your server).

My personal opinion is that flagrantly unsecured password files are 
actually a 'feature' since they oblige the system administrator to 
think seriously about security issues (such as running NTFS vs. 
FAT32).

But that may just be laziness.  We've always planned to implement 
password hashing at some stage.  Given that this issue keeps coming 
back, we'll look at this for the next release.

The planned design is this: we will keep the existing file 
structures, and put the hashing logic inside Xitami.  When it reads a 
password file, it will hash any (new) unhashed passwords.  We don't 
want to break scripts that create password files.

-
Pieter Hintjens
iMatix Corporation