Skip to main content link. Accesskey S
  • Anonymous
  • Log on
  • Help
  • IBM logo
  • Lotus Notes and Domino wiki
  • All Wikis
  • Home
  • Community Articles
  • Product Documentation
  • Learning Center
Search
Advanced Search

Categories

Tag Cloud

  • 6.0
  • 6.5
  • 6.5.4
  • 6.x
  • 7.0
  • 7.0.2
  • 7.5
  • 7.x
  • 8.0
  • 8.0.1
  • 8.0.2
  • 8.5
  • 8.5.1
  • 8.5.2
  • 8.5.3
  • 8.5.x
  • 8.x
  • address
  • admin
  • administering
  • administration
  • administrator
  • attachment
  • best practice
  • Blackberry
  • cache
  • calendar
  • Client deployment
  • contacts
  • DAOS
  • database
  • database properties
  • db2
  • DCT
  • demo
  • deployment
  • deployment Notes
  • directory
  • document
  • documents
  • Domino
  • Domino Server
  • Domino Web Access
  • dwa
  • email
  • getting started
  • http
  • IMAP
  • inotes
  • install
  • iPhone
  • LDAP
  • logging
  • Lotus iNotes
  • Lotus Notes
  • Lotus Notes Traveler
  • Lotus Traveler
  • mail
  • mail file
  • max
  • media_notes
  • memory
  • message
  • messaging
  • MIME
  • moving_advanced
  • moving_cal
  • moving_mail
  • ND6
  • notes
  • Notes ID Vault
  • notes.ini
  • NotesBench
  • performance
  • plug-ins
  • Policies
  • preferences
  • R5
  • reference card
  • replication
  • router
  • Sametime
  • search
  • Security
  • server
  • smtp
  • table
  • text
  • tips
  • to do
  • Traveler
  • troubleshooting
  • upgrade
  • user
  • using
  • video
  • videofest
  • web
  • Widgets and Live Text
  • Windows
InformationInformation
You are currently viewing machine translated content. IBM translation might be available. Click IBM Translated Product Documentation to see what is available.X


Home > Domino security > CNVD/CNCERT Advisory on Lotus Domino Internet Passwords
Rate this article 1 starRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

CNVD/CNCERT Advisory on Lotus Domino Internet Passwords 
expanded Abstract
collapsed Abstract
Lotus Domino provides customers with multiple means of authentication, each system being suitable to different levels of threat resistance and assurance requirements. Among these authentication techniques, Lotus Domino can authenticate a web client with a username and password. As in all password-based authentication features, the user must supply a secret known only to the user and the server, namely a password, to prove identity to the Domino server. In order for the Domino Server to authenticate the user, the user's password is stored securely in the Domino Directory as a hash. Not only Lotus Domino, but all password-based authentication features face the challenge of secure storage of passwords to defend against password dictionary attacks. CNVD/CNCERT has issued a defect advisory revolving around Domino's secure storage of passwords for web clients because, by default, all registered users have Reader access to Domino Directory. While IBM recognizes the threat of password dictionary attacks regardless of where or how passwords are stored, storage of passwords in Domino Directory is not in and of itself a bug because the password is securely stored. Furthermore Domino offers a set of supplementary features to thwart password dictionary attacks.
Lotus Domino provides customers with multiple means of authentication, each system being suitable to different levels of threat resistance and assurance requirements.  Among these authentication techniques, Lotus Domino can authenticate a web client with a username and password.  As in all password-based authentication features, the user must supply a secret known only to the user and the server, namely a password, to prove identity to the Domino server.  In order for the Domino Server to authenticate the user, the user's password is stored securely in the Domino Directory as a hash.  Not only Lotus Domino, but all password-based authentication features face the challenge of secure storage of passwords to defend against password dictionary attacks.  

CNVD/CNCERT has issued a defect advisory revolving around Domino's secure storage of passwords for web clients because, by default, all registered users have Reader access to Domino Directory.  While IBM recognizes the threat of password dictionary attacks regardless of where or how passwords are stored, storage of passwords in Domino Directory is not in and of itself a bug because the password is securely stored.  Furthermore Domino offers a set of supplementary features to thwart password dictionary attacks.
 
 
 
Password Storage

Instead of storing passwords in clear text, Lotus Domino protects internet passwords from disclosure by storing a cryptographically secure message digest or hash of the password in the Person Document's Internet Password field located in Domino Directory.  This hash is a secure one-way function.  The hash function takes the password as input and outputs a long string that cannot be used as the password.  This hash is considered one-way (or irreversible) because it is not practical to determine which input corresponds to a given output.   In particular, it is computationally infeasible to find a message that corresponds to hash.  Similarly, it is infeasible to find two inputs that have the same hash.  While this hash is necessary to ensure the confidentiality of the password, it is not sufficient to defeat password dictionary attacks. Toward that end, Domino supplies a set of supplementary password management features.

Defending Against Dictionary Attacks

Because IBM takes security very seriously, it is our philosophy to provide customers with a complete set of tools to protect their enterprise. With that in mind, Domino offers several configuration options that can be used to protect against  -- or completely eliminate -- the risks associated with dictionary attacks.  Each customer is encouraged to assess their configuration and their risk profile to determine which configuration option best protects them.  Below are the measures that can be taken:

Prevent repetitive password dictionary attacks by using Domino Internet Password Lockout (http://www.ibm.com/developerworks/lotus/library/domino8-lockout/)

Remove the Internet Password from Domino Directory and place the password in another protected directory.  This can be done by blanking out the internet password field in the Domino Directory, and configuring the Domino Directory Assistance (DA) feature to redirect to a secure LDAP directory where access to the password can be further limited.  Please see "Setting Up Directory Assistance" in Lotus Domino Administrator Help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Customers should always require strong passwords because the simpler the password, the easier broken.  Strong passwords are longer than 8 characters and contain letters, numbers, special characters and a mix of cases.  In some configurations, these can be enforced by Policy Settings.  Please see "Creating Custom Password Policy in Lotus Domino Administrator Help  (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Application developers should use the 8.5.2 Password3 function to protect and verify passwords, which will make password dictionary attacks thousands of times slower than with Password2  (initially released in 5.0.6).   The original Password feature was replaced in Domino version 4.6 and should only be used by customers who still have v4.5 servers in their environment.

Use the Extended ACL (XACL) to hide the internet password field.

Configuring xACLs to protect Internet Password fields in the Domino Directory (# 1244808)

and

Security: Domino server HTTP password hash (# 1377512)

As with many security features, enabling xACL comes at a cost, in this case performance.  Additional server processing is required when xACLs are configured, so there will be some impact on directory server performance due to the fact that xACL does not make use of a directory cache.  Customers should plan accordingly.

For environments where insider attacks are a significant risk, prohibit password-based authentication completely and configure SSL for authentication.    See Lotus Domino Administrator Help  (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Set Up SSL on your Domino Server

Set Up Internet Clients for SSL

IBM  takes security very seriously and, at the same time, understands that no single solution suits the needs of all customers.  For that reason, IBM is committed to providing customers with the flexibility of various security options based on the customers security needs.

expanded Article information
collapsed Article information
Category:
Domino security
Tags:
Lotus Domino Passwords, Lotus Notes Password Hash, Password Algorithm, Faisal Javed
This Version: Version 1 May 5, 2011 10:26:31 AM by FJaved Iqbal  

expanded Attachments (0)
collapsed Attachments (0)

 
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
Version Date Changed by               Summary of changes
This version (1) May 5, 2011 10:26:31 AM FJaved Iqbal  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedSubscribe to RSSHelpAbout
  • All Lotus and WebSphere Portal wikis
  • IBM developerWorks
  • IBM Software support
  • IBM Social Business User Experience Blog
  • IBMSocialBizUX on Twitter
  • IBMSocialBizUX on Facebook
  • Lotus product forums
  • IBMSocialBizUX blog
  • IBM Collaboration Solutions
  • Recently added feedRecently added
  • Recently edited feedRecently edited
  • Recently added comments feedRecently Added Comments
  • Wiki Help
  • Forgot user name/password
  • Wiki design feedback
  • Content feedback
  • About the wiki
  • About IBM
  • Privacy
  • Contact IBM
  • IBM Terms of use
  • Wiki terms of use