[10280] in bugtraq
Re: Plain text passwords--necessary
daemon@ATHENA.MIT.EDU (Chris)
Tue Apr 20 14:10:28 1999
Date: Tue, 20 Apr 1999 13:23:33 +1000
Reply-To: Chris <chris@ORMOND.UNIMELB.EDU.AU>
From: Chris <chris@ORMOND.UNIMELB.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
On Fri, Apr 16, 1999 at 01:14:59PM -0700, Aleph One wrote:
> Lots of replies to this message but they all failed to really answer
> the questions raised by the original post.
>
> Almost everyone responded "we want crypto". Sorry folks, crypto
> does not fix the problem for systems where the user wants the
> program to authenticate itself in its behalf automatically such
> as in the case of retrieving email from a server. The program still
> requires to remember the password in plaintext to decrypt the private
> key, or worse, must maintain the private key unencrypted.
>
Perhaps it would be possible to use an authentication agent with which to
store user passwords for services so that the user is only prompted once per
session (indeed, their login password could maybe suffice). This password
is used as the private key to a small db of passwords, which any program
can register with. The concept is akin to ssh-agent. Would this be a
possible thing - or is their problems with this approach as well? How
difficult would it be to implement?
Chris
--
----------------------------------------------------------------------
The box said "Windows 95, NT or better" .. so I installed Debian Linux
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
