Assuming you already have an internet pw…
Open your person doc in the domino directory and put it in edit mode. Highlight a portion of the existing hashed password (like everything between the parentheses) and replace it with another pw. Save. Note that the new pw is not hashed. Basically, unless the user deletes the entire pre-existing entry first, the entry is readable.
I don’t know if this was a problem before, because I don’t have an R5 version to test anymore.
So, is this a bug?
Subject: mis-edited internet password is visible
Yeah, I think the hashing function uses the presence of parentheses to determine whether it’s already hashed or not. Which, incidentally, means any password surrounded by parentheses (MyPassword) will never work.
It wouldn’t be difficult to construct a change password action that would allow you to make the HTTPPassword field not directly editable. Of course, this means modifying your directory design, so if that’s against your policy you’re out of luck.
Subject: mis-edited internet password is visible
Yeah, I understand what’s happening. My point though is that I’ve seen end users edit the field incorrectly as often as I’ve seen them do it the right way. So, from a usability standpoint, I’m wondering if this should be “fixed.” Also, from a security standpoint, anybody can see what the user intended the pw to be, and may try to use it to gain access to other things. After all, let’s face it, users tend to be consistent in their pw choices.
Subject: RE: mis-edited internet password is visible
Fair points all…
Stephen Lister
Subject: mis-edited internet password is visible
I believe that when editing the value between the parentheses, you are editing the hash, not the password itself. If you change the hashed password to be “(foo)”, then “foo” shouldn’t be a valid password – you’d need to find something that hashed to the value, “foo”, which is a technically infeasible task.
However, if you remove the existing value entirely and change the value to “foo” (or something else not enclosed by parentheses), then when you save the document, the value should change to be the hash of what you entered, and you will see what appears to be random garbage enclosed by parentheses.
dave
Subject: RE: mis-edited internet password is visible
The test for this would be to see if the password ‘foo’ works after being typed between the ‘()’ - I suspect that it won’t, as it will be hashed and then compared to the hash value ‘foo’, won’t match and will be rejected.
Stephen Lister
Subject: mis-edited internet password is visible
Using 5.0.10 server and client. As long as the ‘()’ remain in the Internet password field when typing in a new password it remains visible. Only after removing the ‘()’ also did the password become encrypted.