Re: Trillian weakly encrypts saved passwords

• Previous message: Martin Schulze: "[SECURITY] [DSA 163-1] New mhonarc packages fix cross site scripting problems"
• In reply to: Evan Nemerson: "Trillian weakly encrypts saved passwords"
• Next in thread: Brenna Primrose: "RE: Trillian weakly encrypts saved passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 9 Sep 2002 11:29:14 -0700 (PDT)
From: Mike Benham <moxie@thoughtcrime.org>
To: Evan Nemerson <enemerson@coeus-group.com>

I think you'll find that there isn't really a secure way to store
passwords locally. I think Trillian has done the right thing here by
obfuscating saved passwords to prevent casual shoulder-surfing.

Trillian could use PBKDF2 to save the passwords locally, but then you'd
have to enter a password to retrieve your saved password. If you have
reason to worry about the security of your saved password, don't save it.

- Mike

--
http://www.thoughtcrime.org
On Mon, 9 Sep 2002, Evan Nemerson wrote:
> Software:
> Trillian 0.73, possibly other versions.
>
> Issue:
> Weak "encryption" of saved passwords.
>
> Impact:
> Decryption of saved passwords.
>
> Vendor notified:
> 3 Sept., 2002. No response.
>
> Severity:
> Medium. ish. The program only works locally, and only if the subject
> has saved their password, and really if someone can get into your AIM
> account, how earth-shattering is that??? However, since a lot of people use
> the same password for everything...
>
> ---------------------
>
> Trillian is, according to trillian.cc, "...everything you need for instant
> messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo!
> Messenger and IRC in a single, sleek and slim interface."
>
> Upon examination of the Trillian directory (which defaults to C:\Program
> Files\Trillian\ ), it appears that passwords are stored in ini files that are
> located in {Path to Trillian}\users\{WindowsLogon}. The passwords are
> encrypted using a simple XOR with a key apparently uniform throughout every
> installation.
>
> The attached program takes, as command line argument(s), path(s) to these INI
> files. It will then display a list of usernames, "encrypted" passwords, and
> plaintext passwords.
>
>
> Evan Nemerson
> enemerson@coeus-group.com
> http://www.coeus-group.com
>
>
>
>

• Previous message: Martin Schulze: "[SECURITY] [DSA 163-1] New mhonarc packages fix cross site scripting problems"
• In reply to: Evan Nemerson: "Trillian weakly encrypts saved passwords"
• Next in thread: Brenna Primrose: "RE: Trillian weakly encrypts saved passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Trillian weakly encrypts saved passwords ... Trillian 0.73, possibly other versions. ... Weak "encryption" of saved passwords. ... (Bugtraq) Re: Protection against showing hidden passwords with javascript ... command to view saved passwords that are hidden. ... You might want to consider installing the NoScript Add On to Firefox. ... but don't want my passwords to disappear. ... I run 8 desktop windows. ... (comp.security.misc) Re: Very odd, Outlook 2002 using pop3 through ISA2K ... Have you gone into Control Panel, user accounts and found the ... I clear saved passwords and usually problems go ... >All pcs in question are XP SP2 PRO pcs. ... (microsoft.public.backoffice.smallbiz2000) Re: For advanced Foxfire users ... Here's some info I received in re: Firefox storing passwords in plain text: ... Fixing a Firefox "Feature"/Security Problem ... Click on the "View Saved Passwords" button. ... Set a Master Password ... (soc.retirement) RE: Trillian weakly encrypts saved passwords ... Trillian weakly encrypts saved passwords ... Trillian 0.73, possibly other versions. ... Weak "encryption" of saved passwords. ... (Bugtraq)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint