Old passwords never die on Microsoft Exchange Server 5.0

Don't bother changing your password in Microsoft Exchange Server 5.0. It will just keep accepting the old ones. A Philadelphia-based programmer says Microsoft has tentatively confirmed the security hole, which affects the POP3 connector in the popular messaging system. But Microsoft has yet to put any information about the bug on its security page.

Don't bother changing your password in Microsoft Exchange Server 5.0. It will just keep accepting the old ones.

A Philadelphia, Pennsylvania based programmer says Microsoft has tentatively confirmed the security hole in the popular messaging system. But Microsoft hasn't put any information about the bug on its security page and couldn't be reached for immediate comment.

Rajiv Pant, head of technical development for Philadelphia Online, found that the Exchange 5.0 service POP3 connector caches old passwords for an indefinite period.

Users logging on through a Web page interface or Windows NT won't notice the problem, Pant says. But POP3 will continue to accept old passwords.

"Implications: If an undesired person finds out your mail password, changing it won't help," Pant writes on his Web site - http://rajiv.org/active/.

Pant says he has reproduced the problem with different NT domain policy and Exchange 5.0 settings. He's now working on a patch.

Join the newsletter!

Error: Please check your email address.
Show Comments

Market Place

[]