Someone brought this third-party product to my attention. Does anyone have any knowledge of this. If this product works, has the security of the user ID gone down the tubes?
xxxxxxx
Lotus Notes Password Recovery Key - password recovery for Lotus Notes user ID files.
Lotus Notes Password Recovery Key can recover passwords for Lotus Notes user ID files (.id).
Here are some key features of “Lotus Notes Password Recovery Key”:
· Lotus Notes versions 4.1 through 6.5 are supported
· Recovers passwords using a combination of Brute-Force, Xieve� or Dictionary attacks
· Additional user dictionaries support, case changes, multiple mistypes and other modifications for each dictionary word
· Program automatically saves password search state and can resume after a stop or a crash
· Patterns can be used to minimize search time if any part of the password is known
· Non-English characters in passwords are supported
There are countless password guessing programs floating around out there, but they’re nothing to worry seriously about. The web site for the product that you mentioned even states, "Lotus Notes uses relatively strong encryption algorithm that makes instant password calculation impossible ".
If your password is “password”, “password1”, or “Password1”, somebody could guess it in a few moments by typing at a keyboard. If you have a policy requiring a password quality of 12 or better and no dictionary words, even an automated brute force guessing program would have a hard time guessing the password for any specific ID file before that ID file’s owner retires.
Life has also grown harder for the password guessing programs and easier for security-conscious Notes admins from release to release. Notes/Domino 8.0.1 introduced a new security settings policy that you can use to enforce a specific ID file encryption algorithm, or to prevent users from using the older ones. I’d recommend preventing use of 64 bit RC2, since 128 bit RC2 has been supported since ND6. You’ve upgraded your computers since Notes V1 shipped; it’s time to upgrade your security settings as well. If your users are on fast computers and only using 8.0.1+, you can even force them to use an iterated 128 bit AES algorithm that at default settings would (according to some crudely unscientific calculations on two different unloaded computers) roughly turn a “one-day-to guess” weak password into a “ten-years-to-guess” weak password. And if that’s not enough, and your users are willing to tolerate a massive delay every time they enter their passwords, you can force use of a 256 bit AES algorithm and crank up the iteration count to the maximum, and turn that one day (or ten years) into over 130 years.
So, no, I’d have to say that the security of the user ID has been improving significantly over the years, not going down the tubes at all.
