mailing list archives
Re: How the password could be recover using FTP Explorer's registry!
From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Sat, 26 Feb 2000 23:16:22 +0100
And here, folks, is the good old red herring problem once over again.
I'm not saying that Nelson is wrong. It is a problem. But.. Well.
For those of you saying "why aren't they using better crypto, since
it IS available?", read on...
user -> nelson
pass -> ABC
and I found two values:
Login = nelson
Type = 4A4E52
[snip: How to "descramble" the password]
Passwords _cannot_ securely be stored locally without encrypting them
with another password that the user must enter.
Even if a "good" crypto algorithm is used, the key to unlock the
"password repository" must be stored somewhere.
Hopefully this is in the user's brain, but since most users cry foul
when they have to remember passwords, this usuall gets stored on the
same insecure hard drive that the "encrypted" secrets are stored,
all in the name of user friendliness.
When the key for decrypting the password repository gets stored,
all you need to do is go find the key and then you can go read all
Let me reiterate: IT IS NOT POSSIBLE TO STORE COMPLETE SECRETS ON
THE LOCAL COMPUTER IF THE LOCAL COMPUTER CANNOT BE TRUSTED.
Solution: Don't write apps that store passwords on the local computer
without using another password to encrypt them.
Workaround: Disable all "remember this password for me" checkboxes
that keep cropping up in all sorts of apps
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Zonealarm exports sensitive data Andrew Daviel (Feb 25)