[1327] in WWW Security List Archive
RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
daemon@ATHENA.MIT.EDU (Thomas Reardon)
Fri Dec 22 02:00:05 1995
From: Thomas Reardon <thomasre@microsoft.com>
To: "Holger.Reif@PrakInf.TU-Ilmenau.DE" <Holger.Reif@PrakInf.TU-Ilmenau.DE>
Cc: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
Date: Thu, 21 Dec 1995 20:43:14 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
----------
From:
Holger.Reif@PrakInf.TU-Ilmenau.DE[SMTP:Holger.Reif@PrakInf.TU-Ilmenau.DE]
Paul Leach <paulle@microsoft.com>:
> The authentication information that is saved to the hard drive (in the
> user's personal Password List) is encrypted with the user's login
> password. (To be more precise, the user's login password is used to
> generate a key, with which all the other passwords are encrypted. This
> key used to be too short (32 bits), so we've made available a 128 bit
> version -- see
http://www.windows.microsoft.com/windows/software/mspwlupd.htm)
First you should mention that the content of .PWL files is breakable
within seconds (don't have a pointer by hand).
>> To reemphisize this, the fix posted last week addresses the PWL hack. As
far as we know, you can not break the new PWL handler security 'within
seconds'.
-Thomas Reardon
Microsoft
