[rt-users] Security risk! Passwords can be compromised!

Akash joe.rtuser at gmail.com
Tue Feb 3 08:58:05 EST 2009


Well, the point is that it is wrong for anyone (even the admin) to know the
passwords of any user "in the clear" just by looking at the log files.
(How someone can obtain the passwords is a different matter.)

On Tue, Feb 3, 2009 at 7:55 AM, Andreas Heinlein <aheinlein at gmx.com> wrote:

> Dave Sherohman schrieb:
> >
> > I can't say that I find the latter point particularly relevant, as many
> > users are in the habit of re-using passwords across multiple sites.
> >
> > If I, as an RT admin, have access to my RT users' passwords, then that
> > may not present any risk to the security of my RT installation (as
> > admin, I have full access anyhow), but it does potentially place those
> > users' email accounts, bank accounts, etc. at risk if they use the same
> > passwords on those sites as they do on my RT install.
> >
> If such people want to find out users passwords in order to try them out
> elsewhere, they could just remove the cloaking of passwords from the RT
> source, or sniff the http packets (or set up a man-in-the-middle-attack
> if RT is using HTTPS), or design their own login page that writes down
> the passwords before passing them to RT, or...
>
> In many organizations, it is policy that admins do not know and cannot
> recover their users passwords, including ours. That's OK for secure
> applications and authentication frameworks like Windows domain logons or
> Kerberos. But there's no way to secure a plain http login against your
> own admins. You will have to use some other form of authentication for
> RT if you want this.
>
> Bye,
> Andreas
> _______________________________________________
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
>
> Community help: http://wiki.bestpractical.com
> Commercial support: sales at bestpractical.com
>
>
> Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
> Buy a copy at http://rtbook.bestpractical.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20090203/f05912df/attachment.htm>


More information about the rt-users mailing list