Not long ago we discussed why you still see messages that describe yet another application that stores passwords in an insecure manner, in particular under Windows. The bottom line was that there are two common cases. The first one is where an application needs to authenticate a user again the password. In many of these cases the plaintext password can be replaced by a one way hash with little or no loss of functionality. The second case is that where an application requires the password to authenticate itself against a service on behalf of the user but without prompting them for the password after the first time. Several people mentioned that an application or agent could be created that can store securely these secrets for many applications. The user would then only need to authenticate itself once again this application or agent to allow any other applications running under its id to request their secrets. Although this system does not stop rouge applications (e.g. trojans, BackOrifice) from stealing the secrets, it does stop a whole range of vulnerabilities from doing so (e.g. javascript file stealing vulnerabilities, world-readable shares, etc). The Win32 API provides such service. Although in the past it was found that its encryption was rather weak Microsoft claims to have fixed it, no one else has claimed otherwise, and its better than nothing. (References: http://www.netsys.com/firewalls/firewalls-9512/0442.html http://www.geek-girl.com/bugtraq/1995_4/0138.html ). So here is a reminder to Windows application programs that you can use WNetCachePassword and WNetGetCachedPassword, which in some documentation MS calls the Master Password API. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:04 PDT