[1277] in WWW Security List Archive
Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
daemon@ATHENA.MIT.EDU (Troy Denkinger)
Tue Dec 19 14:15:46 1995
Date: Tue, 19 Dec 1995 10:18:48 -0500
From: T.Denkinger@ccmail.mi04.zds.com (Troy Denkinger)
To: hickey@ctron.com, lstein@genome.wi.mit.edu,
Jeff Treuhaft <jeff@netscape.com>
Cc: www-security@ns2.rutgers.edu, dave.mccomb@gs.com,
jcarroll@redman.canada.dg.com, tara@linkage.cpmc.columbia.edu
Errors-To: owner-www-security@ns2.rutgers.edu
This is a Mime message, which your current mail reader
may not understand. Parts of the message will appear as
text. To process the remainder, you will need to use a Mime
compatible mail reader. Contact your vendor for details.
--IMA.Boundary.760093918
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Description: cc:Mail note part
>Let me first clarify that Netscape Navigator does not save the passwords
>used to access a protected document in any hidden files.
>Second the problem you have noticed is indeed a bug in the 2.0 beta
>versions of Netscape Navigator.
This may be a bug in NS2.0 betas, but it seems to actually be a "feature" in the
Microsoft Internet Explorer for Win95. Authentication information is actually
saved onto the hard drive, it appears.
For instance, I have a secure area on our server. I haven't logged into that
area for weeks. I just went there and a dialog pops up with the username and
password all neatly typed in. At least the password was *ed out. Furthermore,
there's a checkbox with the option to "Save This Password In Your Password
List."
There's some security for ya. This is with the current version of the MS
Internet Explorer available from MS's web site.
Troy Denkinger
--IMA.Boundary.760093918--
