Re: @stake Security Advisory: NetZero Password Algorithm

[Intrepid| <intrepid () POBOX COM>]

At 10:30 AM 7/18/2000  Tuesday, you wrote:
[snip snip snip *ouch* snip snip snip]

[After reading the rather lengthy advisory...]
        I agree that many vendors, including NetZero, may use poor algorithms to
protect passwords.

        However, the advisory does use NetZero as the case example.  And you can
truly get the "password in less than a seconds time" without knowledge of
the algorithm.  No C program necessary.

        Just copy and paste the password from NetZero's logon screen into pretty
much any text or word processing program.  The asterisks will be converted
to plain text.

        Yesterday, I discovered this wonderful feature because I forgot my
NetZero password.  I happened to have saved the advisory (as I use NetZero)
and was cleaning out some old email this morning when I happened across it
again.

        I believe this copy/paste "technique" is not uncommon and has been around
for a long time.  -My- first experience with this was on a 68k Mac about 5-6
years ago.  Then it had something to do with improper uses of fonts.  Pure
speculation on my part, but I would not be surprised if that was the case
for Windows as well.  However, I have not and do not intend to look into
this any more.

        Using NetZero Z3, version 3.0.4, on a Win98 box.