Bugtraq mailing list archives
Re: One step easier password guessing on Windows
From: Howard Yeend <h_bugtraq () yahoo com>
Date: Tue, 3 Sep 2002 01:36:02 -0700 (PDT)
a few comments: 1) this is a known issue 2) Revelation, snitch, openPass, etc won't work in msie 3) If the password is 'remembered' by the server (ie, not cached, but sent as part of the html), you could just view source. 4) Not as relevent, but you could do some simple XSS to alert the password (eg: alert(document.forms[0].thepasswordfieldname.value); --- NP-completer <npcompleter () hotmail com> wrote:
Hi, Microsoft's IE has a feature of storing login passwords for future use. With (at least) IE 6 on Win2k SP3 (as well as others, see below,) if you see the login screen with <input type="password"...> tag, and the cached password apears as astrisks, if you stand at the beginning of the string and Ctrl+Shift+Right Arrow to select the whole string, if the password contains any delimiters (i.e. spaces colons, commas,...etc.) the selection will stop before it. That means that the next char is a delimiter. One might say, "why bother? Snadboy's Revelation will give me the cleartext password!" Well, this might be true with IE, but the same thing is with apps built with Java (tested on JDK 1.3) which Revelations doesn't reveal. By knowing the existence of a delimiter, and the number of chars, and some social engineering sense, one may guess the password. Example 1: Many poeple use dates as their passwords, they usually meet the regex '^([0-9]{1,2}[\/\-\.]){2}[1-9]{2,4}$', this means that if you can find that the password pattern meet the previous pattern, easier guessing/brute forcing can be done. Example 2: Some people tend to use their full name, so a single seperator between two parts with the same number of characters of victim's full name meen even easier gussing. I haven't tested on *NIX yet. Tested on: ======= * Internet Explorer 6 (On Win2k Pro SP3) =====> Vulnerable * Netscape Navigator (On Win2k Pro SP3) =====> Not Vulnerable * Mozilla (On Win2k Pro SP3) =====> Not Vulnerable * Opera 6.02 (On Win2k Pro SP3) =====> Vulnerable * Java based applications/applets (JDK 1.3) =====> Vulnerable * Visual C++ 6 (MFC 4.2) appications =====> Not Vulnerable * Visual Basic 6 applications =====> Not Vulnerable Peace NP-completer XEgypt.org
===== -----BEGIN GEEK CODE BLOCK----- Version: 3.1 www.geekcode.com GIT d--(---) s-:-- a-- C++++ UL@ P--- L++>+++ E---(-) W+++(-)$ N-(--) o-- K++ w(+)(-) O? !M ?V(-) PS+++@ PE-- Y+ PGP++ t+ 5-(++) X(+) R tv(--) b+>+++ DI++ D-(Quake+++) G+++ e* h r++>+++ y+(+++) -----END GEEK CODE BLOCK----- __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
Current thread:
- One step easier password guessing on Windows NP-completer (Sep 02)
- Re: One step easier password guessing on Windows Howard Yeend (Sep 03)