[10257] in bugtraq
Re: Plain text passwords--necessary
daemon@ATHENA.MIT.EDU (Aleph One)
Fri Apr 16 16:40:45 1999
Date: Fri, 16 Apr 1999 13:14:59 -0700
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
Lots of replies to this message but they all failed to really answer
the questions raised by the original post.
Almost everyone responded "we want crypto". Sorry folks, crypto
does not fix the problem for systems where the user wants the
program to authenticate itself in its behalf automatically such
as in the case of retrieving email from a server. The program still
requires to remember the password in plaintext to decrypt the private
key, or worse, must maintain the private key unencrypted.
The point that we are trying to make by disclosing information about
these plain text passwords is twofold.
First, plain text passwords are being used is places where they need not
be. For example the recent post about the Real Media server storing
plain text passwords. There is no reason for the server to store
plain text passwords. It can store a hash and authenticate users
against the hash.
Second, you are correct in that programs that give the user the option
of saving their password may require to know the plain text password.
No amount of encryption will make the password safe. Examples include
the often noted Netscape mail password.
In these systems the user has explicitly allowed the software to store
the password in plain text and therefore assumes the risk. The problem
is that most users to no really understand what the risks really are
and the software does not stress these risks. Disclosure of information
on how to recover these passwords educate users to these risk.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01