December 5th, 2005, 10:36 PM
Lotus Notes Password Hash
I had an interesting discussion today I would like to share to see if anyone has seen this before.
It seems in "names.nsf" file on a Notes server, the password hashes of the users listed can be seen. This can be done in numerous ways:
- By looking at the names.nsf in a browser window
- By looking at the source of names.nsf in an editor
- By looking up the address book itself and creating a view with the HTTPPassword field
- By exporting idvidual users in Notes and viewing this in text form
This is disturbing to me in more ways than one. I do not know if this hash is "crackable", and frankly am a little scared to find out.
Has anyone seen this before? What have you done? What CAN be done?
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu
, The Art of War