Re: Respondus v1.1.2 stores passwords using weak encryption

[Philip Rowlands <phr () doc ic ac uk>]

On Thu, 23 Aug 2001, Desmond Irvine wrote:

> Respondus Version 1.1.2 (7-26-2001) stores passwords using weak encryption.

[snip]

> Work-around:
>
> - uncheck "Remember my User Name and Password (save them on this computer)"
>  you should have never checked it in the first place (even if it isn't a
>  shared computer).
>
> The vendor has been notified and is planning on addressing the issue in the future.

Must we debate this non-issue again? Yes, if you ask the application to
remember your password, it stores it in a retrievable form. The "weak
encryption", as you call it, would be better termed "light obfuscation".
Its purpose is not to prevent someone with access to the data from
recovering the "plaintext" or unobfuscated password. Rather, it is to
prevent unintentional revealing of the password during casual browsing
of files.

You will *always* be able to duplicate the action of the
password-remembering application, which by definition must contain code
to obtain the unobfuscated password with no further user input.

See previous bugtraq's regarding Netscape Messenger's scheme for
password archiving:

<370CE37B.2A066C20 () uic nnov ru>
<370D20EF.BE1A63A () vt edu>
(Sorry, I don't have URLs available)


Cheers,

Phil