December 6th, 2005 01:25 PM
This is old news.
1. It only applies to passwords for Notes users set up for web accesss. Passwords for access from the Notes client are not even stored on the server. They are stored in Notes id files. (Actually, they're not even stored there. The password is used to encrypt credentials stored in the file.)
2. Notes (actually, "Domino" is the name for the server side) provides an option for upgrading the strength of the Internet Password hash that is stored in the Domino Directory. The stronger hash is "salted" and therefore much less susceptible to brute force attack. Unfortunately, although this setting has been available in the product since 1998, it is still not the default setting because it potentially breaks backward compatability for users of pre-1998 versions of the software -- so I'm not trying to kid anyone here: there definitely are some Domino servers that are vulnerable because of this. In recent conversations with IBM, I was told that they are going to change this, finally.
3. There are several easy ways available for administrators to lock down the Domino Directory to prevent web users from browsing through views and records, but it is not necessarily possible to lock out users who are authorized to use the Notes client. I won't go into them here because -- thanks to the fact that someone re-discovers this "vulnerability" every few months -- the various techniques have been discussed numerous times over the years on the forums where Notes and Domino admins go for support.
4. There is a way to set up one Domino server so that it uses the Directory on another Domino server for authentication, so password hashes aren't even on stored on it. The second server can be completely locked down so that only authorized administrators can access it.
And, oh... there are 120 million Notes users. ANd it's still growing at double-digit annual rates. One of the reasons for that: there is no software with anywhere near that installed base with a better overall security record. That doesn't mean it's perfect, of course.