Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Plain text passwords--necessary

From: chris () ORMOND UNIMELB EDU AU (Chris)
Date: Tue, 20 Apr 1999 13:23:33 +1000

On Fri, Apr 16, 1999 at 01:14:59PM -0700, Aleph One wrote:

Lots of replies to this message but they all failed to really answer
the questions raised by the original post.

Almost everyone responded "we want crypto". Sorry folks, crypto
does not fix the problem for systems where the user wants the
program to authenticate itself in its behalf automatically such
as in the case of retrieving email from a server. The program still
requires to remember the password in plaintext to decrypt the private
key, or worse, must maintain the private key unencrypted.




Perhaps it would be possible to use an authentication agent with which to
store user passwords for services so that the user is only prompted once per
session (indeed, their login password could maybe suffice).  This password
is used as the private key to a small db of passwords, which any program
can register with.  The concept is akin to ssh-agent.  Would this be a
possible thing - or is their problems with this approach as well?  How
difficult would it be to implement?


Chris

--

----------------------------------------------------------------------
The box said "Windows 95, NT or better" .. so I installed Debian Linux
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5
Previous By Date Next
Previous By Thread Next

Current thread: