Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > CNVD/CNCERT Advisory on Lotus Domino Internet Passwords
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Optimising NRPC Bandwidth Consumption for attachment

NRPC port not consuming complete bandwidth. Noticeably on slow-er connections like 3G

Is it possible to write an agent in Lotus Domino® to automate a user registration?

Is it possible to write an agent in Lotus Domino® to automate a user registration?

CNVD/CNCERT Advisory on Lotus Domino Internet Passwords

Lotus Domino provides customers with multiple means of authentication, each system being suitable to different levels of threat resistance and assurance requirements. Among these authentication techniques, Lotus Domino can authenticate a web client with a username and password. As in all ...

Missing parent documents when responses copied prior to parent

When a parent note is created in a Domino Database after one or more of its response note(s), the parent note is not visible until fixup is run against the database. when a parent note is retrieved by IBM CSLD after one of its response notes has been retrieved, the new parent note is not visible ...

Domino as a Certificate Authority

Setting up Domino Security Infrastructure specially with regards to the Certficate authority can be tricky. The following video is a complete step by step guide expalanation of all the CA options available with some key tips to resolve.
Community articleCNVD/CNCERT Advisory on Lotus Domino Internet Passwords
Added by IBM contributor~Bill Fezjipyskiakoi on May 5, 2011 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
Lotus Domino provides customers with multiple means of authentication, each system being suitable to different levels of threat resistance and assurance requirements. Among these authentication techniques, Lotus Domino can authenticate a web client with a username and password. As in all password-based authentication features, the user must supply a secret known only to the user and the server, namely a password, to prove identity to the Domino server. In order for the Domino Server to authenticate the user, the user's password is stored securely in the Domino Directory as a hash. Not only Lotus Domino, but all password-based authentication features face the challenge of secure storage of passwords to defend against password dictionary attacks. CNVD/CNCERT has issued a defect advisory revolving around Domino's secure storage of passwords for web clients because, by default, all registered users have Reader access to Domino Directory. While IBM recognizes the threat of password dictionary attacks regardless of where or how passwords are stored, storage of passwords in Domino Directory is not in and of itself a bug because the password is securely stored. Furthermore Domino offers a set of supplementary features to thwart password dictionary attacks.
Tags: Lotus Domino Passwords, Lotus Notes Password Hash, Password Algorithm, Faisal Javed
Lotus Domino provides customers with multiple means of authentication, each system being suitable to different levels of threat resistance and assurance requirements.  Among these authentication techniques, Lotus Domino can authenticate a web client with a username and password.  As in all password-based authentication features, the user must supply a secret known only to the user and the server, namely a password, to prove identity to the Domino server.  In order for the Domino Server to authenticate the user, the user's password is stored securely in the Domino Directory as a hash.  Not only Lotus Domino, but all password-based authentication features face the challenge of secure storage of passwords to defend against password dictionary attacks.  

CNVD/CNCERT has issued a defect advisory revolving around Domino's secure storage of passwords for web clients because, by default, all registered users have Reader access to Domino Directory.  While IBM recognizes the threat of password dictionary attacks regardless of where or how passwords are stored, storage of passwords in Domino Directory is not in and of itself a bug because the password is securely stored.  Furthermore Domino offers a set of supplementary features to thwart password dictionary attacks.
 
 
 
Password Storage

Instead of storing passwords in clear text, Lotus Domino protects internet passwords from disclosure by storing a cryptographically secure message digest or hash of the password in the Person Document's Internet Password field located in Domino Directory.  This hash is a secure one-way function.  The hash function takes the password as input and outputs a long string that cannot be used as the password.  This hash is considered one-way (or irreversible) because it is not practical to determine which input corresponds to a given output.   In particular, it is computationally infeasible to find a message that corresponds to hash.  Similarly, it is infeasible to find two inputs that have the same hash.  While this hash is necessary to ensure the confidentiality of the password, it is not sufficient to defeat password dictionary attacks. Toward that end, Domino supplies a set of supplementary password management features.

Defending Against Dictionary Attacks

Because IBM takes security very seriously, it is our philosophy to provide customers with a complete set of tools to protect their enterprise. With that in mind, Domino offers several configuration options that can be used to protect against  -- or completely eliminate -- the risks associated with dictionary attacks.  Each customer is encouraged to assess their configuration and their risk profile to determine which configuration option best protects them.  Below are the measures that can be taken:

Prevent repetitive password dictionary attacks by using Domino Internet Password Lockout (http://www.ibm.com/developerworks/lotus/library/domino8-lockout/)

Remove the Internet Password from Domino Directory and place the password in another protected directory.  This can be done by blanking out the internet password field in the Domino Directory, and configuring the Domino Directory Assistance (DA) feature to redirect to a secure LDAP directory where access to the password can be further limited.  Please see "Setting Up Directory Assistance" in Lotus Domino Administrator Help (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Customers should always require strong passwords because the simpler the password, the easier broken.  Strong passwords are longer than 8 characters and contain letters, numbers, special characters and a mix of cases.  In some configurations, these can be enforced by Policy Settings.  Please see "Creating Custom Password Policy in Lotus Domino Administrator Help  (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Application developers should use the 8.5.2 Password3 function to protect and verify passwords, which will make password dictionary attacks thousands of times slower than with Password2  (initially released in 5.0.6).   The original Password feature was replaced in Domino version 4.6 and should only be used by customers who still have v4.5 servers in their environment.

Use the Extended ACL (XACL) to hide the internet password field.

Configuring xACLs to protect Internet Password fields in the Domino Directory (# 1244808)

and

Security: Domino server HTTP password hash (# 1377512)

As with many security features, enabling xACL comes at a cost, in this case performance.  Additional server processing is required when xACLs are configured, so there will be some impact on directory server performance due to the fact that xACL does not make use of a directory cache.  Customers should plan accordingly.

For environments where insider attacks are a significant risk, prohibit password-based authentication completely and configure SSL for authentication.    See Lotus Domino Administrator Help  (http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp)

Set Up SSL on your Domino Server

Set Up Internet Clients for SSL

IBM  takes security very seriously and, at the same time, understands that no single solution suits the needs of all customers.  For that reason, IBM is committed to providing customers with the flexibility of various security options based on the customers security needs.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)May 5, 2011, 2:26:31 PM~Bill Fezjipyskiakoi  IBM contributor
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility