On Thu, 23 Aug 2001, Desmond Irvine wrote: >Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption. [snip] >Work-around: > >- uncheck "Remember my User Name and Password (save them on this computer)" > you should have never checked it in the first place (even if it isn't a > shared computer). > >The vendor has been notified and is planning on addressing the issue in the future. Must we debate this non-issue again? Yes, if you ask the application to remember your password, it stores it in a retrievable form. The "weak encryption", as you call it, would be better termed "light obfuscation". Its purpose is not to prevent someone with access to the data from recovering the "plaintext" or unobfuscated password. Rather, it is to prevent unintentional revealing of the password during casual browsing of files. You will *always* be able to duplicate the action of the password-remembering application, which by definition must contain code to obtain the unobfuscated password with no further user input. See previous bugtraq's regarding Netscape Messenger's scheme for password archiving: <370CE37B.2A066C20at_private> <370D20EF.BE1A63Aat_private> (Sorry, I don't have URLs available) Cheers, Phil
This archive was generated by hypermail 2b30 : Fri Aug 24 2001 - 09:14:28 PDT