Re: Plain text password for Microsoft (icwip.dun)
From: Roland Postle (mail@blazde.co.uk)Date: 07/09/02
- Previous message: Nexus: "Re: ALERT: Working Resources BadBlue #2 (DoS, Heap Overflow)"
- Maybe in reply to: Roland Postle: "Re: Plain text password for Microsoft (icwip.dun)"
- Next in thread: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: hellNbak: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: Ron DuFresne: "Re: Plain text password for Microsoft (icwip.dun)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roland Postle" <mail@blazde.co.uk> To: <vuln-dev@securityfocus.com> Date: Tue, 9 Jul 2002 21:38:12 +0100
> > Recommendations
> > ---------------
> > Store passwords in an encrypted form
>
> How are you gonna accomplish this since the password has to go 'over the
> wire' in plaintext? To be able to authenticate with the password you need
to
> be able to decrypt it.. right?
'Storing' the password in encrypted form would be quite easy to accomplish,
and it would at least stop the casual snooper. You could argue that the same
passwords /are/ encrypted when they're put in the registry, so why not in
.ins files too? It increases the security a tad.
Anyway, for a complete solution I think we should wait for... Palladium and
TCPA-based modems.
- Blazde
- Previous message: Nexus: "Re: ALERT: Working Resources BadBlue #2 (DoS, Heap Overflow)"
- Maybe in reply to: Roland Postle: "Re: Plain text password for Microsoft (icwip.dun)"
- Next in thread: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: Knud Erik Højgaard: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: hellNbak: "Re: Plain text password for Microsoft (icwip.dun)"
- Reply: Ron DuFresne: "Re: Plain text password for Microsoft (icwip.dun)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
