Bugtraq mailing list archives
Secure Storage of Secrets in Windows
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Mon, 17 May 1999 14:57:31 -0700
Not long ago we discussed why you still see messages that describe yet another application that stores passwords in an insecure manner, in particular under Windows. The bottom line was that there are two common cases. The first one is where an application needs to authenticate a user again the password. In many of these cases the plaintext password can be replaced by a one way hash with little or no loss of functionality. The second case is that where an application requires the password to authenticate itself against a service on behalf of the user but without prompting them for the password after the first time. Several people mentioned that an application or agent could be created that can store securely these secrets for many applications. The user would then only need to authenticate itself once again this application or agent to allow any other applications running under its id to request their secrets. Although this system does not stop rouge applications (e.g. trojans, BackOrifice) from stealing the secrets, it does stop a whole range of vulnerabilities from doing so (e.g. javascript file stealing vulnerabilities, world-readable shares, etc). The Win32 API provides such service. Although in the past it was found that its encryption was rather weak Microsoft claims to have fixed it, no one else has claimed otherwise, and its better than nothing. (References: http://www.netsys.com/firewalls/firewalls-9512/0442.html http://www.geek-girl.com/bugtraq/1995_4/0138.html ). So here is a reminder to Windows application programs that you can use WNetCachePassword and WNetGetCachedPassword, which in some documentation MS calls the Master Password API. -- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Secure Storage of Secrets in Windows Aleph One (May 17)
- <Possible follow-ups>
- Re: Secure Storage of Secrets in Windows Nick FitzGerald (May 18)
- Re: Secure Storage of Secrets in Windows Bronek Kozicki (May 20)
- Re: Secure Storage of Secrets in Windows Olaf Titz (May 18)
- Buffer Overruns in RAS allows execution of arbitary code as system Mnemonix (May 19)
- Re: Secure Storage of Secrets in Windows Eivind Eklund (May 19)
- NetBSD Security Advisory 1999-010 matthew green (May 21)
- Re: NetBSD Security Advisory 1999-010 Olaf Kirch (May 21)