[4234] in bugtraq
Re: Password problem in Trumpet Winsock.
daemon@ATHENA.MIT.EDU (John Sheehy)
Mon Apr 7 14:35:18 1997
Date: Mon, 7 Apr 1997 02:50:03 -0400
Reply-To: John Sheehy <jes@GROVE.UFL.EDU>
From: John Sheehy <jes@GROVE.UFL.EDU>
X-To: null <null@WEB.PIEDMONT.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199704062046.QAA03827@web.piedmont.edu>
On Sun, 6 Apr 1997, null wrote:
| I've known of this bug for over a year and a half now, and am tired of
| waiting to see if Trumpet will ever fix it.
|
| It is possible to open trumpwsk.ini, take the encrypted string for the
| $password= variable, and place it in the ppp-username= variable. This,
| allows one to start up tcpman.exe,g oto File > PPP Options and get the
| user's password.
[...]
I use this script in TWSK 2.0b to recover passwords:
# little script
load $password
output \13
display "password: "
display '$password'
output \13\13
#end
Doesn't take much, does it?
I think it's generally a bad idea to store your password in any kind of
dialer program.
Passwords authenticate people, not machines. Your machine shouldn't "know"
your password. Machine-to-machine authentication should be performed in a
protocol that doesn't use a password as the shared secret.
-John Sheehy
