[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: BillMax questions -- Plaintext Password


If on the off-chance that someone climbs a telephone pole,
cracks out a modem line with their high-tech equipment, and
sniffs the password- you dont have a big problem because you
have only lost one username/password for all of that
trouble.  On the other hand- if someone went through the
same ammount of trouble to break in to your RADIUS server
and look at the plaintext passwords for CHAP- THEN you have
a really big problem because you've lost *all* of your
usernames and passwords.

Neither are perfect solutions, but PAP is statistically more
secure.

---
Brad Baker
Director: Network Operations
American ISP
brad@americanisp.net
+1 303 984 5700 x12
http://www.americanisp.net/
PGP KeyID: BEA23F60




On Mon, 12 Aug 2002, Jeff LaCoursiere wrote:

> Date: Mon, 12 Aug 2002 06:10:01 -0500 (CDT)
> From: Jeff LaCoursiere <jeff@jeff.net>
> To: Internet Partners Inc. Support <support@IPINC.NET>
> Cc: Scott Rothgaber <scott@easley.net>, questions@billmax.com
> Subject: RE: BillMax questions -- Plaintext Password
>
>
>
> > >CHAP does require plaintext passwords on the server, but PAP does not,
> > >which is why we stuck with PAP.  I wouldn't call being forced to keep
> > >plaintext passwords on my server a "bonus"!
> > >
> >
> > But wait, Jeff - if your using PAP then the cackers can come to your
> > house and climb the telephone pole and put a modem on your phone line and
> > pick off the plaintext password that your sending to the term server when
> > you dial in.  Right?  At least, that's what all the CHAP proponents
> > say will happen. ;-)
>
> Well, that is a bit extreme, but true :)  I think UUNet and other long
> haul NAS providers want CHAP because they don't want to be liable for
> passwords being sniffed on network connections they have no control
> over.  Fair enough.  I honestly thought the radius protocol would just be
> encrypted by this point.  What point is the client/server shared secret
> otherwise (other than authenticating the connect)?  Shouldn't be a big
> deal for the client/server to use that secret for a cipher.  If they break
> your shared secret you could have worse problems!
>
> > or a SQL server like with icradius.
>
> I'm actually against this - I think it adds more overhead than just a
> berkeley db file.  I haven't seen any benchmarks, but I would be willing
> to bet quite a bit that db file will be the fastest.
>
> >
> > [ much stuff about employee trust ]
> >
>
> I'm all for trusting my employees, and of course any really pissed off
> employee can find a way to cause damage if he/she wants to... The point
> really was if there is no good reason to store cleartext passwords, you
> shouldn't do it.
>
> Thanks,
>
> j
>
>
> -----------------------------------------------------------------------------
> To unsubscribe from the "BillMax Questions" mailing list, please
> send a message to "majordomo@billmax.com" with "unsubscribe questions"
> in the message body. The message must be sent from the exact email
> address on the list.
>



-----------------------------------------------------------------------------
To unsubscribe from the "BillMax Questions" mailing list, please
send a message to "majordomo@billmax.com" with "unsubscribe questions"
in the message body. The message must be sent from the exact email
address on the list.