Re: NT stores passwords in plaintext. (sp00ky)

[Dan Kaminsky <dankamin () CISCO COM>]

So this is where I'm supposed to wearily get back on my soapbox and proclaim
to the world, yet again, "People, it really is pretty irrelevant if a
password is stored in plaintext, because its effectively trivially crackable
by definition of the decryption key / algorithm being necessarily on the
same machine."

Then I'd post a link to
http://www.doxpara.com/read.php/security/password_rejected.html .

But Strezz opens up an interesting caveat I hadn't really thought of:  When
the password would otherwise be masked by a large amount of random data(as
opposed to being the only high-entropy data is an otherwise low entropy
structure, i.e. the registry) having it *not* possess similar entropy
identifies and emphasizes the exact location of the memory dump that
contains the eventually readable password.

So, in other words, password=a13OOpio12 is effectively useless
encryption--but given:

skjf13113KJJiiOpqra13OOpio12poqo212nbBB

from a *memory dump*(i.e. not the original mode the data was supposed to be
read from), the surrounding noise does indeed provide a masking threshhold
the encrypted password can hide amongst.

Now, the problem of course is that as random as memory dumps might look,
there's actually a decent amount of structure to them, and automated dump
analysis tools exist to take a standard dump file and parse out what was
allocated to what(and thus isolate the encoded password).  So this entire
line of thought is somewhat academic, when you get down to it.

Yours Truly,

    Dan Kaminsky, CISSP
    http://www.doxpara.com