Re: Leaks

From: Alun Jones (alun@texis.com)
Date: 07/02/02

Next message: Alun Jones: "Re: a few questions re firewalls"
Previous message: : "Re: insider threat"
In reply to: : "Re: Leaks"
Next in thread: Bernd Eckenfels: "Re: Leaks"
Reply: Bernd Eckenfels: "Re: Leaks"
Reply: chris@nospam.com: "Re: Leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: alun@texis.com (Alun Jones)
Date: Tue, 02 Jul 2002 00:39:32 GMT

In article <afo7ee$r78$1@slb7.atl.mindspring.net>, my_email@my_domain_here.com
(Pedro Hin) wrote:
>There should be no need for anyone to EVER have your password. There are PC
>migration tools out there which will allow the PC tech to do whatever needs to
>be done without actualy acquiring access to the user's data or accounts.

Except for the situation where you're converting accounts from tool/system A
to tool/system B, and the two tools/systems use incompatible hash methods.

I get this request from my users all the time, and so far I've simply said
"look, it's a hash, and you can't get the passwords out once they're put in."
But can you imagine what a lock-in is created by a hash scheme? You've got a
few hundred users, and you've decided that the software you've been using is a
PoS, and that a new piece would be a great idea; then you consider the
difficulty of rolling it out and explaining to a few hundred users why they
need to create new passwords in a new system... Yuck. I'm glad it's not my
job; but I'm miffed that it might be affecting my sales.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.

Next message: Alun Jones: "Re: a few questions re firewalls"
Previous message: : "Re: insider threat"
In reply to: : "Re: Leaks"
Next in thread: Bernd Eckenfels: "Re: Leaks"
Reply: Bernd Eckenfels: "Re: Leaks"
Reply: chris@nospam.com: "Re: Leaks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Password hashes
... NTLM hash as the key. ... There is however no locally stored NTLMV2 hash of passwords. ... Auditing and reviewing the security logs ... secure their network and data and the documentation to do such at TechNet ...
(microsoft.public.windowsxp.security_admin)
Re: Windows XP / 2K3 Default Users
... Cracking the 'passwords' has never been ... The gist of the 'technique' is the "Modifying Windows NT Logon Credential" ... existing windows applications that use the hash currently set to ... and then re-use those hashes to try to get authenticated access to other ...
(Pen-Test)
Re: Pidgin IM Client Password Disclosure Vulnerability.
... because we need to be able to generate the hash a given ... Some protocols can ask for different types of hashes at ... passwords stored in it ... lost, you have much bigger problems than lost IM passwords. ...
(Bugtraq)
Re: Decrypt fails
... I am creating a MD5 hash data and then using it to derive a key ... (CALG_RC2 encryption algorithm). ... My requirement concerns more with not storing passwords in plain ... > that he provided and compare it to the hash in the database. ...
(microsoft.public.platformsdk.security)
Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
... hash security. ... > generating dictionary lists using different character sets for the ... secure or it isn't, for the level of computation possible by today's ... Yes, good passwords are always a must, along with a good ...
(Full-Disclosure)