[1347] in WWW Security List Archive
RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
daemon@ATHENA.MIT.EDU (Brain21)
Sat Dec 23 20:37:07 1995
Date: Thu, 21 Dec 1995 11:58:09 -0500 (EST)
From: Brain21 <brain21@montag33.residence.gatech.edu>
To: Michael Brennen <mbrennen@fni.com>
cc: Paul Leach <paulle@microsoft.com>, www-security@ns2.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.951220090239.7977N-100000@ns1.fni.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 20 Dec 1995, Michael Brennen wrote:
>
> Does Win95 have a startup level password (and I don't know because I don't
> run Win95) to prevent access at all unless a valid password is entered?
>
It does for networking, but I'm not sure about standalone. Unfortunately
you can get around it by entering a bogus username and password. Now
Win95 has different desktops for different users, so logging in as
"bogus" w/ a passwd of "1234," for example, will not get you the same
desktop environment as Joe (Company) Owner, but as usual, you can access
any file from the file manager, you can also get a copy of their desktop
configuration file and copy it w/ your name on it so that when you log in
the next time you *will* get the same desktop as Joe Owner. Also,
passwords can be compromised via a method that I posted to this list last
week.
A better bet would be a CMOS password on bootup. This can be bypassed by
two ways - removing the machines battery for a few seconds, or by readily
available tools that will crack the password. Still enough to keep
honest people honest, so to speak.
Brain21
