[Full-Disclosure] Re: IRCXpro 1.0 - Clear local and default remote admin passwords

[Michael Osten]

> The reason why IRC servers "IRCD.config" files don't use encryption (see
> file attachment for example) is because 49 times out of 50 they do not
come
> with a GUI program.  Administrators main method of changing the
> configuration is to manually edit the file using a notepad utility.

It has nothing to do with having a GUI or not.  You obviously have no
concept of Unix permissions, so using a unix analogy should be avoided in
the future.  The config file that you speak of would be set to only be
readable and/or writable the user running the daemon.  Even the existance of
that password in the config file woud lend it self a bad design as every
application in (linux at least) can have hooks to PAM and use the same
encrypted password.  If the password *was* in the config file, to read this
file, you would need that users priviledges, or priviledges greater than
that user.  If you have either, crypting the password would be a bit
pointless (not to say that people don't do it).

I'm not even going to touch the "notepad utility" comment.


> Overuse in the use of encrypted passwords can be counter productive to
> functionality.
> There are good reasons to keep passwords clear text passwords to better
> interface with other software.
> For example Merak Mail server software
> (http://www.icewarp.com/Products/Merak_Email_Server_Software/)
> When using this mail server, it can store the accounts on an SQL Server.
> The passwords are stored clear text.  This enables other software to
> interface with its data to create and sync its accounts/passwords with
other
> systems.


No, No, No.  Bad design, stupid design.  I've never heard of your or "Merak
Mail" software, but thanks for pointing them out.  I can avoid both steaming
piles of crap.