Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Fri, 16 Apr 1999 13:14:59 -0700
Lots of replies to this message but they all failed to really answer the questions raised by the original post. Almost everyone responded "we want crypto". Sorry folks, crypto does not fix the problem for systems where the user wants the program to authenticate itself in its behalf automatically such as in the case of retrieving email from a server. The program still requires to remember the password in plaintext to decrypt the private key, or worse, must maintain the private key unencrypted. The point that we are trying to make by disclosing information about these plain text passwords is twofold. First, plain text passwords are being used is places where they need not be. For example the recent post about the Real Media server storing plain text passwords. There is no reason for the server to store plain text passwords. It can store a hash and authenticate users against the hash. Second, you are correct in that programs that give the user the option of saving their password may require to know the plain text password. No amount of encryption will make the password safe. Examples include the often noted Netscape mail password. In these systems the user has explicitly allowed the software to store the password in plain text and therefore assumes the risk. The problem is that most users to no really understand what the risks really are and the software does not stress these risks. Disclosure of information on how to recover these passwords educate users to these risk. -- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Plain text passwords--necessary Francisco M. Marzoa Alonso (Apr 16)
- <Possible follow-ups>
- Re: Plain text passwords--necessary Aleph One (Apr 16)
- Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
- Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 19)
- Re: Corrected Linux 2.2.5 FIN/NULL/XMAS block patch Taral (Apr 20)
- Re: Plain text passwords--necessary Taral (Apr 19)
- Re: Plain text passwords--necessary Phillip Vandry (Apr 19)
- Re: Plain text passwords--necessary Trevor Schroeder (Apr 19)
- bug in ssh allowing to be invissible Grzegorz Stelmaszek (Apr 19)
- Re: bug in ssh allowing to be invissible Pete (Apr 20)
- Re: bug in ssh allowing to be invissible Joe Gross (Apr 20)
- NetBSD Security Advisory 1999-009 matthew green (Apr 20)
- Bash Bug Shadow (Apr 20)