Under no circumstances should ascii/text files contain passwords in a directly readable, clear-text, format. This is considered a major violation of security by service providers. Network service providers have been disallowing clear-text passwords for several years. OpenHPI needs to conform to this as it is being used in service providers network equipment. We have encountered this several times and the service providers demand fixes to avoid the clear-text passwords in configuration, log, or any ascii/text files. We discovered clear-text passwords in:
As a solution, any passwords stored in configuration files should be encrypted and salted [for salting, see e.g. http://en.wikipedia.org/wiki/Salt_\(cryptography)]
Tom Wagner; Alcatel-Lucent; Email: tom.wagner at alcatel-lucent.com
Log in to post a comment.