This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
There are countless password guessing programs floating around out there, but they're nothing to worry seriously about. The web site for the product that you mentioned even states, "Lotus Notes uses relatively strong encryption algorithm that makes instant password calculation impossible ".
If your password is "password", "password1", or "Password1", somebody could guess it in a few moments by typing at a keyboard. If you have a policy requiring a password quality of 12 or better and no dictionary words, even an automated brute force guessing program would have a hard time guessing the password for any specific ID file before that ID file's owner retires.
Life has also grown harder for the password guessing programs and easier for security-conscious Notes admins from release to release. Notes/Domino 8.0.1 introduced a new security settings policy that you can use to enforce a specific ID file encryption algorithm, or to prevent users from using the older ones. I'd recommend preventing use of 64 bit RC2, since 128 bit RC2 has been supported since ND6. You've upgraded your computers since Notes V1 shipped; it's time to upgrade your security settings as well. If your users are on fast computers and only using 8.0.1+, you can even force them to use an iterated 128 bit AES algorithm that at default settings would (according to some crudely unscientific calculations on two different unloaded computers) roughly turn a "one-day-to guess" weak password into a "ten-years-to-guess" weak password. And if that's not enough, and your users are willing to tolerate a massive delay every time they enter their passwords, you can force use of a 256 bit AES algorithm and crank up the iteration count to the maximum, and turn that one day (or ten years) into over 130 years.
So, no, I'd have to say that the security of the user ID has been improving significantly over the years, not going down the tubes at all. :)
Feedback response number DKEN7P638R created by ~Ben Umboosichekader on 02/11/2009
How strong are your passwords? 
Return to top
. . How strong are your passwords? (~Tanita Desweve... 11.Feb.09) 
