[rt-users] Security risk! Passwords can be compromised!

Dave Sherohman dave at sherohman.org
Tue Feb 3 09:45:07 EST 2009


On Tue, Feb 03, 2009 at 01:55:41PM +0100, Andreas Heinlein wrote:
> Dave Sherohman schrieb:
> >
> > I can't say that I find the latter point particularly relevant, as many
> > users are in the habit of re-using passwords across multiple sites.
> >
> > If I, as an RT admin, have access to my RT users' passwords, then that
> > may not present any risk to the security of my RT installation (as
> > admin, I have full access anyhow), but it does potentially place those
> > users' email accounts, bank accounts, etc. at risk if they use the same
> > passwords on those sites as they do on my RT install.
> >   
> If such people want to find out users passwords in order to try them out
> elsewhere, they could just remove the cloaking of passwords from the RT
> source, or sniff the http packets (or set up a man-in-the-middle-attack
> if RT is using HTTPS), or design their own login page that writes down
> the passwords before passing them to RT, or...

Fair point, but I still see a significant difference between "turn on
this switch and we'll hand you the passwords in a log file" and the
various methods you mention, any of which would require some degree of
skill and/or effort to implement.  Doubly so when the switch in question
has other, legitimate, uses which can result in the admin accidentally
making a plaintext record of the passwords without even realizing it.

-- 
Dave Sherohman
NomadNet, Inc.
http://nomadnetinc.com/



More information about the rt-users mailing list