Re: Password problem in Trumpet Winsock.

[mikedoug () TEXAS NET (Michael Douglass)]

On Sun, Apr 06, 1997 at 04:39:27PM -0400, null said:

> It is possible to open trumpwsk.ini, take the encrypted string for the
> $password= variable, and place it in the ppp-username= variable. This,
> allows one to start up tcpman.exe,g oto File > PPP Options and get the
> user's password.
> Impact:

Wait, one could quite simply write a decoder and decode the password
from the ini file.  I believe someone once told me that Trumpet uses a
simple base64 routine to "encode" the password.  Trust me, we have
routines that will encode/decode the passwords; so the problem is not
the ability to move the "encrypted" (used lightly) string into
ppp-username, but that there is no real encryption involved in the
password saving mechanism.

The problem here is that no matter what you do, you have to be able to
produce the plain-text password to authenticate with the remote host;
so it cannot be encrypted using a one-way hash function (such as UNIX
passwords).  You could have trumpet encrypt the password with some
passphrase--but why not just have it ask for your password when you
want to dial in that case? (??)

Basically this is not a security "hole" in Trumpet's method of
"encrypting" the password because it is not encrypting it at all--it is
simply "encoding" it; so that for the majority of non-techies (and even
some techies) won't be able to get your password from Trumpet.

There may be an important issue there--but I don't see it.  But that
could just come from years of knowing that the Trumpet passwords were
insecure (and easily decoded) and (when using Trumpet) disabling the
"password" saving from the dialin script.

--
Michael Douglass
Texas Networking, Inc.

 "The past is a foreign country; they do things differently there."
      L. P. Hartley, British author. The Go-Between, Prologue (1953).