On Lotus Notes Domino R4, cracked users' HTTP passwords were a major security risk. Some Notes Domino administrators are still experiencing that problem even in R6 and R7. SearchDomino.com contributor Andy Pedisich explains why the issues are still popping up and what you can do to combat this security flaw.
I love horror movies. My favorite moment in a B horror flick is when the heroine thinks she's wiped out the monster by stabbing it a hundred times. Relieved but exhausted, she turns her back and starts to leave, when suddenly the re-animated monster snarls and leaps towards her.
That gets me every time. Popcorn everywhere!
Well, there's a snarling security issue that's been around for a while, and I really thought we'd put a stake through its heart. I thought all Lotus Notes people knew about it and how to deal with it. I thought it was wiped out permanently.
But lately, I've been conducting some domain audits and I've discovered that I was wrong. There are still Lotus Notes domains that are exposed to the risk of someone cracking their users' HTTP passwords.
Here's the skinny: Way back in the days of R4, Lotus Notes had a method for storing the HTTP password in the person documents that was less than stellar. The passwords were hashed for storage, but the hashing was the same all the time. This meant that if the same password was used by multiple people, it looked the same in every person document.
For example, the password "lotusnotes" always looked like "DE9CA9CD7BD212362B6D312A33E10FB2", and the password "password" always looked like "355E98E7C7B59BD810ED845AD0FD2FC4."
Needless to say, it was pretty easy to find out which people used those HTTP passwords. In fact, a malicious and motivated user could do a lot better.
With very little ingenuity, an evil person could write an agent that would be able to compare the low encryption patterns of every word in a dictionary to the passwords in your address book. Imagine the number of people that still use simple words from the dictionary as passwords. They'd all be exposed.
This issue was fixed in Notes/Domino 4.6 and beyond. A new option to turn on "more secure Internet passwords" was introduced. This improved the way passwords are stored by "salting" the hashing algorithm for every password.
The password "lotusnotes" is now stored looking like this "GJ+SJ9nxOa5wFJTQJ4Kf," like this "GEFPM6E7fS9BcsuOt9EZ," or in a billion other ways -- but never the same way twice. Thus, the security weakness of pre-R4.6 Lotus Notes was fixed. But the default method of storing HTTP passwords for all subsequent versions from R4.6 to the present is still the older, low encryption technology.
Make a quick check of some person docs in your Lotus Notes domain's address book and see if any of the HTTP passwords look like the low encrypted versions. You'll need to right click a person document and look for the HTTPPassword field.
Even better, make a copy of the People view of the address book and use the following section formula:
SELECT Type = "Person" & $SecurePassword!="1"
When the higher encryption is used, Lotus Notes adds a field called $SecurePassword and sets the value to a 1. Using this selection formula in a view shows you the person documents that are not using the high encryption method.
Or, you might want to create a view that shows the HTTP password stored in the person document. This will help identify who has the same passwords and which person documents still uses the low encryption method. Note that only the high encryption method uses upper and lower case letters.
Here's what you have to do to fix this problem for existing users and for future users.
First, you have to make sure that all current users are set up to use the higher encryption. Open one of those handy views you built in the address book that allows you to spot the person documents with the problem.
Select the person documents that use the low encryption method, then use the Action…Upgrade to More Secure Internet Password menu sequence. This will take care of existing users.
To make sure that all future HTTP passwords will use the stronger encryption, open your domain's address book and go to Actons…Edit Directory Profile.
Change the Use more secure Internet Passwords to Yes, and you're in business.
Neither of these actions change the passwords themselves. Your users will never know this was done. And you'll have the peace of mind in knowing that this threat to your Lotus Notes domain's security has been put down, permanently.
If you have a moment, drop me a line and let me know if you were configured correctly. I'll share numbers but no names. Contact me at Andyp at Technotics dot com.
About the author: Andy Pedisich is President of Technotics, Inc. He has been working with Lotus Notes and Domino since Release 2. Technotics provides strategic consulting and training on collaborative infrastructure projects for customers throughout the world. You can contact Technotics through their Web site at www.technotics.com.
We've implemented the more secure Internet Password option and thought we were done until our security people started cracking salted hash after a couple extra hours of work. Since then, we have enabled the xACL and now hide the HTTPPassword, dspHTTPPassword and PasswordDigest fields from everyone except the Lotus Notes user, the Lotus Domino server and the Domino administrators.
Lotus has documentation for doing just this with the xACL. The first is Technote #1244808, "Configuring xACLs to Protect Internet password fields in the Domino Directory." The second is from the Domino Administration help database and the document is titled: "Converting the default anonymous access settings to database ACL and extended ACL settings."
Do you have comments on this tip? Let us know.
Please let others know how useful this tip is via the rating scale below. Do you have a useful Lotus Notes, Domino, Workplace or WebSphere tip or code snippet to share? Submit it to our tip contest and you could win a prize.