> The Win32 API provides such service. Although in the past it was > found that its encryption was rather weak Microsoft claims to have > fixed it, no one else has claimed otherwise, and its better than > nothing. (References: > http://www.netsys.com/firewalls/firewalls-9512/0442.html > http://www.geek-girl.com/bugtraq/1995_4/0138.html ). > > So here is a reminder to Windows application programs that you can > use WNetCachePassword and WNetGetCachedPassword, which in some > documentation MS calls the Master Password API. Indeed. And for admins who wish to prevent user machines from caching passwords the following Win9x REG file may be useful: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network] "DisablePwdCaching"=dword:00000001 Apply that to a client machine then nuke all PWL files in the Windows dir and you need not worry whether future vulnerabilities might open you to exposure from cached passwords. I imagine there is something similar for NT. Anyone know the details? Regards, Nick FitzGerald
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:09 PDT