On Mon, Sep 28, 1998 at 07:18:25PM -0400, Steven J. Sobol wrote:
Note that CRYPT-PW apparently only refers to how the passwords are stored on the InterNIC's servers; they're sent in plaintext when you e-mail the form.
Well, you know... no. I've seen the mail generated when you fill in the webform, and choose CRYPT-PW. The CGI script encrypts the cleartext password, and that's what's in the field in the email when it's mailed to you for forwarding.
Jay, my friend, I hate to be argumentative, but...
Authorization 0a. (N)ew (M)odify (D)elete.........: M 0b. Auth Scheme.....................: CRYPT-PW 0c. Auth Info.......................: sj.3989.
That is indeed the password associated with my NIC handle. Or was, anyhow. I've since changed it.
That was in the e-mail sent to me, which was not PGP'd or encrypted in any way.
They've changed it, then. When I last used CRYPT-PW to register a domain, I entered my password into the webform and the mail I was sent to forward back in had a crypt(2) looking string in that position.
For that matter, the OLD password is not encrypted on the contact form if you are modifying contact information for a certain handle, either.
The entire operation is pretty teen-age, as fas as I'm concerned.
I guess that is supposed to make it easier to fill in the text file and mail it, as opposed to going to the web site. But it defeats the whole purpose of having an encrypted password.
Quite. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Member of the Technical Staff "The net is safer in bad weather: you The Suncoast Freenet can't run a backhoe Tampa Bay, Florida in a hurricane." (after Sean Donelan) +1 813 790 7592 Managing Editor, Top Of The Key sports e-zine ------------ http://www.totk.com