[rt-users] Security risk! Passwords can be compromised!

Andreas Heinlein aheinlein at gmx.com
Tue Feb 3 07:55:41 EST 2009


Dave Sherohman schrieb:
>
> I can't say that I find the latter point particularly relevant, as many
> users are in the habit of re-using passwords across multiple sites.
>
> If I, as an RT admin, have access to my RT users' passwords, then that
> may not present any risk to the security of my RT installation (as
> admin, I have full access anyhow), but it does potentially place those
> users' email accounts, bank accounts, etc. at risk if they use the same
> passwords on those sites as they do on my RT install.
>   
If such people want to find out users passwords in order to try them out
elsewhere, they could just remove the cloaking of passwords from the RT
source, or sniff the http packets (or set up a man-in-the-middle-attack
if RT is using HTTPS), or design their own login page that writes down
the passwords before passing them to RT, or...

In many organizations, it is policy that admins do not know and cannot
recover their users passwords, including ours. That's OK for secure
applications and authentication frameworks like Windows domain logons or
Kerberos. But there's no way to secure a plain http login against your
own admins. You will have to use some other form of authentication for
RT if you want this.

Bye,
Andreas



More information about the rt-users mailing list