Bugtraq mailing list archives
Re: Respondus v1.1.2 stores passwords using weak encryption
From: Philip Rowlands <phr () doc ic ac uk>
Date: Fri, 24 Aug 2001 11:55:45 +0100 (BST)
On Thu, 23 Aug 2001, Desmond Irvine wrote:
Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption.
[snip]
Work-around: - uncheck "Remember my User Name and Password (save them on this computer)" you should have never checked it in the first place (even if it isn't a shared computer). The vendor has been notified and is planning on addressing the issue in the future.
Must we debate this non-issue again? Yes, if you ask the application to remember your password, it stores it in a retrievable form. The "weak encryption", as you call it, would be better termed "light obfuscation". Its purpose is not to prevent someone with access to the data from recovering the "plaintext" or unobfuscated password. Rather, it is to prevent unintentional revealing of the password during casual browsing of files. You will *always* be able to duplicate the action of the password-remembering application, which by definition must contain code to obtain the unobfuscated password with no further user input. See previous bugtraq's regarding Netscape Messenger's scheme for password archiving: <370CE37B.2A066C20 () uic nnov ru> <370D20EF.BE1A63A () vt edu> (Sorry, I don't have URLs available) Cheers, Phil
Current thread:
- Respondus v1.1.2 stores passwords using weak encryption Desmond Irvine (Aug 23)
- Re: Respondus v1.1.2 stores passwords using weak encryption E. van Elk (Aug 23)
- Re: Respondus v1.1.2 stores passwords using weak encryption Philip Rowlands (Aug 24)