Bugtraq mailing list archives
Re: Secure Storage of Secrets in Windows
From: bronek () wpi com pl (Bronek Kozicki)
Date: Thu, 20 May 1999 19:14:49 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To disable password caching in Windows NT one should set following registry value to 0. By default it's not set, and assumed to be 10 . Hive: HKEY_LOCAL_MACHINE Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon Name: CachedLogonsCount Type: REG_DWORD Value: 0 to 50 Information about this registry value can be found in KB, article Q172931. Bronek Kozicki - -------------------------------------------------- ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A 07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A - -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () NETSPACE ORG]On Behalf Of Nick FitzGerald Sent: Tuesday, May 18, 1999 2:35 PM To: BUGTRAQ () NETSPACE ORG Subject: Re: Secure Storage of Secrets in Windows
The Win32 API provides such service. Although in the past it was found that its encryption was rather weak Microsoft claims to have fixed it, no one else has claimed otherwise, and its better than nothing. (References: http://www.netsys.com/firewalls/firewalls-9512/0442.html http://www.geek-girl.com/bugtraq/1995_4/0138.html ). So here is a reminder to Windows application programs that you can use WNetCachePassword and WNetGetCachedPassword, which in some documentation MS calls the Master Password API.
Indeed. And for admins who wish to prevent user machines from caching passwords the following Win9x REG file may be useful: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ Network] "DisablePwdCaching"=dword:00000001 Apply that to a client machine then nuke all PWL files in the Windows dir and you need not worry whether future vulnerabilities might open you to exposure from cached passwords. I imagine there is something similar for NT. Anyone know the details? Regards, Nick FitzGerald -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0.2i iQA/AwUBN0Q0Xr1hkGdKMPqaEQIu7QCgnGIIkG6/sqbfpNz1X7VwrXDjKh8AoIYe gwtMemc7l4H8HM6L6hh/IXMk =Q7gq -----END PGP SIGNATURE-----
Current thread:
- Secure Storage of Secrets in Windows Aleph One (May 17)
- <Possible follow-ups>
- Re: Secure Storage of Secrets in Windows Nick FitzGerald (May 18)
- Re: Secure Storage of Secrets in Windows Bronek Kozicki (May 20)
- Re: Secure Storage of Secrets in Windows Olaf Titz (May 18)
- Buffer Overruns in RAS allows execution of arbitary code as system Mnemonix (May 19)
- Re: Secure Storage of Secrets in Windows Eivind Eklund (May 19)
- NetBSD Security Advisory 1999-010 matthew green (May 21)
- Re: NetBSD Security Advisory 1999-010 Olaf Kirch (May 21)