Technote (troubleshooting)
Problem
A document titled "raptor_dominohash - Lotus Domino R5/R6 HTTPPassword dump" has been posted at the following address:
Resolving the problem
The Extended Access Control List (xACLs) is a feature that was introduced in Lotus® Domino® 6.0 to allow administrators to apply access controls at the field level for the Domino Directory. Please refer to technote #1244808 for additional details on configuring xACLs to protect the Internet password fields. This is a recommended solution for protecting sensitive fields, such as the Internet password (HTTPPassword).
Additional recommendations for securing access to the Domino Web Server when using password-based authentication are as follows:
1. Restrict anonymous access to the Domino Directory to force users to authenticate to access the directory
By default, users must authenticate to the Domino Web server in order to gain reader access to the Domino Directory. In the ACL, Anonymous is set to "No Access" and Default is set to "Reader," which will force all users to authenticate. Administrator may also configure Default access to "No Access" and allow access only by explicit ACL entries, group names, or wild card hierarchies (for example, /ACME).
2. Apply the more secure Internet password format for all users
Domino offers the choice of two algorithms for storing the Internet password in the Person record. The original format is a single unsalted hash. In Domino 4.6, a second format was introduced, known as the "More secure Internet password format," which is a salted hash. When using this format, the string "(355E98E7C7B59BD810ED845AD0FD2FC4)" will not be the hash for the string "password," and the hashed value will be different for every user who chooses the same password value. This format is not backwards-compatible with Domino R4.5, so all servers must be at R4.6 or higher. IBM Lotus strongly recommends the use of the "More secure Internet password format" for storing Internet passwords in the Domino Directory.
To upgrade existing Person documents, select the Person documents from the view and select Actions -> Upgrade to More Secure Internet Password Format. This action runs an agent to enforce the use of the salted hash. To ensure that the more secure Internet password format is used when creating new Person records, edit the Directory Profile from Actions -> Edit Directory Profile and select "Yes" for the "Use more secure Internet password format" field. This requires Domino 5.0.6 or higher.
3. Enforce use of strong passwords/passphrases.
Administrators may also wish to consider replacing password-based authentication with certificate-based authentication using SSL and client-side certificates.
Related Documents:
Configuring xACLs to protect Internet Password fields in the Domino Directory (1244808)
http://www.ibm.com/support/docview.wss?rs=463&uid=swg21244808
How to Upgrade to the More Secure Internet Password Format (1091043)
http://www.ibm.com/support/docview.wss?rs=463&uid=swg21091043
Setting More Secure Internet Passwords in Domino Directory Profile (1085488)
http://www.ibm.com/support/docview.wss?rs=463&uid=swg21085488
Does the PasswordDigest field contain a hashed value of the user's Notes ID password? (1215256)
http://www.ibm.com/support/docview.wss?rs=463&uid=swg21215256
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.