#1761 OpenHPI config files should NEVER store clear-text passwords

3.4.0
closed-duplicate
5
2013-10-21
2012-09-07
sixwags
No

Under no circumstances should ascii/text files contain passwords in a directly readable, clear-text, format. This is considered a major violation of security by service providers. Network service providers have been disallowing clear-text passwords for several years. OpenHPI needs to conform to this as it is being used in service providers network equipment. We have encountered this several times and the service providers demand fixes to avoid the clear-text passwords in configuration, log, or any ascii/text files. We discovered clear-text passwords in:
/etc/openhpi/openhpi.conf

As a solution, any passwords stored in configuration files should be encrypted and salted [for salting, see e.g. http://en.wikipedia.org/wiki/Salt_\(cryptography)]

Tom Wagner; Alcatel-Lucent; Email: tom.wagner at alcatel-lucent.com

Discussion

  • dr_mohan

    dr_mohan - 2013-10-21
    • status: open --> closed-duplicate
    • 3.4.0: --> 3.4.0
     
  • dr_mohan

    dr_mohan - 2013-10-21

    Duplicate of bug #1759 and feature request 697
    It was closed-fixed with checkins

     
    Last edit: dr_mohan 2013-10-21
  • Tariq Shureih

    Tariq Shureih - 2013-10-21

    *ATTENTION**
    This account is disabled and is no longer accessed by the recipient.
    Please remove it from your address book.

    Thanks

     

Log in to post a comment.