5 Replies Latest reply on Apr 24, 2013 7:47 AM by Peter Krutý

    Stored passwords security

    pne

      Hello,

       

      can someone please explain whether site passwords stored in the Site Manager are protected and how? What is the encryption, whether brute force can succeed to break the encryption and reveal stored passwords etc. Do you recommend saving passwords? I could not find this in the documentation nor in the Rhinosoft KB. I found that there used to be another "secure" version of Voyager in the past but not anymore.

       

      Thanks,

      Petr

        • Re: Stored passwords security
          macnugetz

          Passwords saved in the Scheduler Site Profile Manager are encrypted using using TEA (Tiny Encryption Algorithm).  In order to use Scheduler, you must save the password to disk.  There is no way to provide a password to the task at run time.



            • Re: Stored passwords security
              pne

              Thanks for you reply! Can you please further clarify:

               

              1. Does the same answer apply for "Site Profile Manager"? I do not use Scheduler so I am a bit confused here.

              Snap 2013-04-04, 16_59_56.jpg

              2. Regarding TEA cipher, Wikipedia describes original TEA as vulnerable. Can you confirm whether original TEA is used, or some newer variant? (XTEA, XXTEA).

               

              Petr

                • Re: Stored passwords security
                  macnugetz

                  Sorry for the confusion; yes, same answer.  Voyager has always used this for password storage, and what you have stated is correct (it's susceptible to brute force).

                   

                  HTH,

                  Craig

                    • Re: Stored passwords security
                      akacraig

                      I have been wondering about this as well.  Specifically around securing a client cert private key password.

                       

                      Given that the details for the site are stored in the profile manager, I assume that the client cert private key password would also be covered by TEA?

                       

                      What I am not clear on is how the key for TEA is set.  I can't see an option to supply a password, for example, to serve this purpose.

                       

                       

                      Failing that, is there a way to provide the client cert private key password only at connect time?