On Fri, 16 Apr 1999 09:04:31 +0300 Juha =?iso-8859-1?Q?J=E4ykk=E4?= <juoljaat_private> wrote: > > Not like a DES , this encryption can be decrypted. As a result of many > > experiments i wrote this program. It gives me almost all passwords in my > > system, because all people use Netscape. > > Blast it. It does not matter even if you used TwoFish, BlowFish or > IDEA! The passwords saved in the preferences file would still be easily > decrypted. > People seem to be forgetting a very important point here: the > encryption password must be internally stored somewhere because the user > never gets asked for it. Thus it is not never necessary to "crack" the > passwords because we can always use the original password. > I see this same line of thought here every now and then: people report > "bugs" like this while they are indeed vulnerable by design. There is no > secure way of storing a password and recalling it without asking the > user for some kind of passphrase. Please someone correct me, if I'm > wrong at this. I know of no such cryptosystem. To my knowledge you are correct. The bottom line is this: Client programs that store credentials so the user does not have to enter them every time the program is used are insecure. End of story. I dearly wish most email, ppp etc. clients did not have a check box: save password. As has been pointed out by others (e.g. Joel Maslak) there are cases where the storage of credentials is pretty well unavoidable because the applications are run unattended and Joel gives some sensible ways to mitigate (but not remove) the risk. One techniques I have not seen mentioned recently is post dated credentials. (ah la Kerberos post dated tickets) If you know your backup or database down load is going to be run between 0200 and 0205 then have it store credentials that are only valid between those times. Kerberos is the only system that I know that supports postdated credentials surely there are others ? Cheers, Russell.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:55 PDT