Web Authentication Using Soundex Values May Increase the Risk of a Brute Force Attack
InfoScreen has published an advisory showing an increased risk of a brute force attack under particular circumstances. The address is as follows:
It may be easier for an attacker to gain authenticated access to Domino data when both of the following conditions are met:
1) Internet authentication is configured to use "More name variations with lower security" in the Server document in the Domino Directory
2) User accounts exist with common or guessable passwords
Soundex allows Notes users to use phonetic spellings to search for names. It is primarily used for mail address resolution, but can optionally be used as a value for web authentication. [For more information about Soundex, please refer to the following documents linked to in the Related Information section below:
- How Does Soundex Work in Lotus Notes and Domino? (#1084571)
- What Is the Soundex Coding System? (#1087113)]
In the Domino Directory, in the Server document, there is a field called "Internet authentication" on the Security tab. This field has two possible values. If you select "More name variations with lower security" then Web browser users can authenticate using
- first name only (example: Robert),
- their last name only (example: Smith),
- common name (example: Robert Smith),
- hierarchical name (example: Robert Smith/org),
- shortname (example: rsmith),
- any alias name found in the username field (example: Bob Smith),
- or soundex number (example: s123).
The other field value "Fewer name variations with higher security" only allows users to authenticate using
- common name (Robert Smith),
- hierarchical name (Robert Smith/org), or
- alias name (Bob Smith).
This is a more secure method for authentication and will help to prevent the problems discussed in the Infoscreen advisory. This is the setting that IBM Lotus software recommends because it is more secure. It is the default setting in Domino 6x; however, administrators who are upgrading from an earlier release should review their settings as it will not be changed on upgrade.
Another alternative is to use the NOTES.INI variable NoAmbiguousWebNames=1. This variable requires that a name that is not ambiguous be used in order to be authenticated. When you use this NOTES.INI variable, if more than one match is found when the $Users hidden view is searched, the user will not be authenticated and Domino generates an "Error 401 User not authenticated" message.
A third alternative is to use the NOTES.INI variable NABWebLookupView=viewname to specify a custom view to be used for Web authentication.
The use of any one of these three alternatives prevents Soundex values from being used as a user name to authenticate.
In addition, users should be encouraged to choose strong passwords. In Domino 6, password policies can be used to enforce the use of a strong password. Other customer and partner applications also exist to enforce password policies and are commonly used.
Finally, when storing passwords in the Domino Directory, IBM Lotus software also strongly recommends the use of the "More secure Internet password format," which was introduced in Domino 4.6.
More support for:
Lotus End of Support Products
Lotus Domino Server
Software version: 4.6, 5.0, 6.0, 6.5
Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS
Reference #: 1165495
Modified date: 12 September 2004