[1299] in WWW Security List Archive
RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
daemon@ATHENA.MIT.EDU (Holger Reif)
Thu Dec 21 07:15:25 1995
Date: Thu, 21 Dec 95 10:21:40 +0100
From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
To: paulle@microsoft.com
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Paul Leach <paulle@microsoft.com>:
> The authentication information that is saved to the hard drive (in the
> user's personal Password List) is encrypted with the user's login
> password. (To be more precise, the user's login password is used to
> generate a key, with which all the other passwords are encrypted. This
> key used to be too short (32 bits), so we've made available a 128 bit
> version -- see http://www.windows.microsoft.com/windows/software/mspwlupd.htm)
First you should mention that the content of .PWL files is breakable
within seconds (don't have a pointer by hand).
Second there are concerns about how getting 128 _random_ Bits out of
a users password.
Third none AFAIK kas publically reviewed the new encryption algorithm.
not very good...
read you later - Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/
