[22398] in bugtraq
Re: Respondus v1.1.2 stores passwords using weak encryption
daemon@ATHENA.MIT.EDU (E. van Elk)
Thu Aug 23 21:32:56 2001
Message-Id: <5.1.0.14.2.20010823222101.00b12410@pop.eve-software.com>
Date: Thu, 23 Aug 2001 22:28:05 +0200
To: bugtraq@securityfocus.com
From: "E. van Elk" <evelk@dsv.nl>
In-Reply-To: <3B855889.7CA56894@sheridanc.on.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
At 21:24 23-8-2001, Desmond Irvine wrote:
>Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption.
>
It's not only Respondus, but many other programs that needs to store
passwords for, let's say, FTP access that use a very weak encryption system.
Two examples I recently discovered are UltraEdit v8.x and CuteFtp v4.2.
Both use a very weak encoding system to store passwords for the FTP
accounts. CuteFtp uses quite a weak system, but when using a password for
the site manager, the sm.dat file is encrypted and it makes access to the
encrypted passwords a little harder..
For some more info about the used encryption methods:
http://www.eve-software.com/security
In the help-file from UltraEdit, the following section can be found:
This checkbox determines if UltraEdit will save the password for later
reference. If not the user will be prompted for the password as
required. Note – if the password is saved it is stored on the system. It
is encrypted however the encryption mechanism is unsophisticated and should
not be relied upon as a method of security.
---
Edwin van Elk
evelk@dsv.nl
