I have yet to be in an environment that this tactic could be reasonably be
used.
Anywhere with a window.
I'm really not seriously arguing that the password should not be masked in the GUI, I was just trying to make a point. Indeed the password should be masked in the GUI. This is something that ISS is not doing.
Also it appears to me that Nessus security scanner seems to disagree about
storing passwords in cleartext:
That's because in these cases the password could be stored as a hash pretty easily, as it does not need to be re-used in clear text (this is also how nessusd stores the user passwords by the way).
I guess we just disagree on the seriousness and who is responsible for doing what. Everyone I know that has used Nessus did not realize this was the case. I expect the vast majority of people who use Nessus don't realize this as well. I don't see why this is not made clear to the user so at least they can be aware of it and have a chance to make the effort to make the situation more secure. I'll say my (hopefully) final peace here and thereafter try to refrain from beating this dead horse anymore...
I am not a professional security engineer. I do know 4 professional security engineers that have decades of network and security experience. Before I brought this up to anyone on this list or otherwise, I approached each one of them independently and asked them if they thought it was an issue because I didn't want to bother the list with something trivial. They all without hesitation said absolutely it was a problem. I also found out that some organizations would not use Nessus due to this violating their security policy. At that point I brought the issue up on this list where there was mostly disagreement that this was an issue (in some private emails some people initially agreed then reversed their opinion). At this point I contacted CERT to get their opinion on this issue. If they had told me it was not an issue I would have dropped it at that point. After a fairly lengthly period, someone from CERT contacted me and indicated that it presented "a weakness in security" and "failure on many levels". Those were the words from CERT, not me. This issue was assigned an internal reference number and then I never heard from them again. I don't know what their retention on these things are, but this was about a year ago. It may have mostly been my fault that nothing happened in that I didn't follow-up closely on it. I still have a copy of that email that can be provided (if that's even appropriate) upon request.
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
