Bugtraq mailing list archives
Re: Plain text passwords--necessary
From: chris () ORMOND UNIMELB EDU AU (Chris)
Date: Tue, 20 Apr 1999 13:23:33 +1000
On Fri, Apr 16, 1999 at 01:14:59PM -0700, Aleph One wrote:
Lots of replies to this message but they all failed to really answer the questions raised by the original post. Almost everyone responded "we want crypto". Sorry folks, crypto does not fix the problem for systems where the user wants the program to authenticate itself in its behalf automatically such as in the case of retrieving email from a server. The program still requires to remember the password in plaintext to decrypt the private key, or worse, must maintain the private key unencrypted.
Perhaps it would be possible to use an authentication agent with which to store user passwords for services so that the user is only prompted once per session (indeed, their login password could maybe suffice). This password is used as the private key to a small db of passwords, which any program can register with. The concept is akin to ssh-agent. Would this be a possible thing - or is their problems with this approach as well? How difficult would it be to implement? Chris -- ---------------------------------------------------------------------- The box said "Windows 95, NT or better" .. so I installed Debian Linux ---------------------------------------------------------------------- Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
Current thread:
- Shopping Carts exposing CC data, (continued)
- Shopping Carts exposing CC data Joe (Apr 19)
- Re: Shopping Carts exposing CC data Joe (Apr 20)
- Outlook 98 allows spoofing internal users Nate Lawson (Apr 20)
- Re: Outlook 98 allows spoofing internal users Peter van Dijk (Apr 25)
- Re: Shopping Carts exposing CC data Louis R. Marascio (Apr 20)
- eBay password stealing with JavaScript Michael K. Sanders (Apr 20)
- Re: eBay password stealing with JavaScript Paul Festa (Apr 21)
- Bug in Linux Mount Jacek Konieczny (Apr 20)
- Re: Bug in Linux Mount Meelis Roos (Apr 20)
- Re: Plain text passwords--necessary Tom Perrine (Apr 20)