[10585] in bugtraq
Re: Secure Storage of Secrets in Windows
daemon@ATHENA.MIT.EDU (Olaf Titz)
Wed May 19 15:05:23 1999
Message-Id: <E10k107-00067E-00@g212.hadiko.de>
Date: Wed, 19 May 1999 09:42:51 +0300
Reply-To: Olaf Titz <olaf@BIGRED.INKA.DE>
From: Olaf Titz <olaf@BIGRED.INKA.DE>
To: BUGTRAQ@NETSPACE.ORG
> The Win32 API provides such service. Although in the past it was found
> that its encryption was rather weak Microsoft claims to have fixed it,
> no one else has claimed otherwise, and its better than nothing.
Since this allows the encryption of user data and Microsoft ist U.S.
based , the algorithm _must_ be weak. Otherwise they could have used
just RC4 with the password as key instead of RC4 with a 32 bit(!)
hash of the password. This is not Microsoft stupidity but U.S.
government stupidity.
With today's CPU power 32 bit of key is not better than nothing.
I could brute force that in one week with my single PC.
Olaf
