Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")
From: robert.e.jones () CWO COM AU (Rob Jones)
Date: Fri, 17 Dec 1999 16:04:10 +1100

case Netscape needs to run out and get a bar so they can raise it.

This is a red herring. Local secure storage of secrets in PCs without another

I dont know if it applies to windoze but the Linux & xBSD versions of
netscape store the 'encoded' (not encrypted) password even if
the user never ticks the remember password box.

Now that Netscape should fix!

Local secure storage of secrets is a service that needs to be provided
by the operating system. In the case of Windows NT you can store them
(with some limitations) using the Local System Authority (LSA) API. Under
Windows 95/98 there is an API to store secrets using the users logon password
(stores the secrets in .PWL files) but to my knowledge it is not documented
by Microsoft (although they allude to it in some early Windows 95 presentation
slides). Maybe someone with more knowledge of Microsoft operating systems
can confirm?

Regardless of if the secrets are encoded with the users password they
are decodable anyway. There are plenty of password extractors for .pwl files.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]