[13008] in bugtraq
Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords")
daemon@ATHENA.MIT.EDU (Rob Jones)
Fri Dec 17 12:38:14 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3859C44A.5A8B6364@cwo.com.au>
Date: Fri, 17 Dec 1999 16:04:10 +1100
Reply-To: Rob Jones <robert.e.jones@CWO.COM.AU>
From: Rob Jones <robert.e.jones@CWO.COM.AU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> > case Netscape needs to run out and get a bar so they can raise it.
>
> This is a red herring. Local secure storage of secrets in PCs without another
I dont know if it applies to windoze but the Linux & xBSD versions of
netscape store the 'encoded' (not encrypted) password even if
the user never ticks the remember password box.
Now that Netscape should fix!
> Local secure storage of secrets is a service that needs to be provided
> by the operating system. In the case of Windows NT you can store them
> (with some limitations) using the Local System Authority (LSA) API. Under
> Windows 95/98 there is an API to store secrets using the users logon password
> (stores the secrets in .PWL files) but to my knowledge it is not documented
> by Microsoft (although they allude to it in some early Windows 95 presentation
> slides). Maybe someone with more knowledge of Microsoft operating systems
> can confirm?
Regardless of if the secrets are encoded with the users password they
are decodable anyway. There are plenty of password extractors for .pwl files.
Rob
