Re: Passwordlist in Wireshark - User feedback wanted

[Sake Blok | SYN-bit <sake.blok () SYN-bit nl>]

Hi Dario,

> On 17 Jun 2019 (Mon), at 11:23, Dario Lombardo <lomato () gmail com> wrote:
>
> Hi Sake
>
> On Mon, Jun 17, 2019 at 7:01 AM Sake Blok | SYN-bit <sake.blok () syn-bit nl <mailto:sake.blok () syn-bit nl>> wrote:
> Personally I don't like the option to have a central place to add credential information to show to the user. I think 
> this crosses the (very thin) line between "being able to see a password" and "being a tool to extract passwords".
>
>
> Personally this is what I like of it :). But indeed this is a discussion about lines crossed, so anybody's opinion 
> and previous experience is welcome. The line between see and extract sounds to me like the Richard's picture of 
> orchids. Wireshark can already extract the credentials: they are dissected and put under the proper proto item with 
> names like "auth", "credential", "password", etc. This is rather different that "follow tcp stream" of an undissected 
> protocol, that contains credentials. The patch doesn't give more "power" to the user: just instead of scripting 
> tshark or jumping between packets it makes easier reading them through a dialog. IMHO Wireshark is already a tool to 
> extract passwords.

I understand your point of view. However, needing a little more knowledge to extract passwords than just clicking on 
the "show me all credentials" is a good thing IMHO. If this feature is used to raise security awareness, then having a 
list of usernames with **** passwords to show for which users passwords are present in the pcap file is enough, no need 
to show the passwords themselves. If an individual password is needed, it can easily be obtained by going to the packet 
that has the password without showing all passwords in a list. 

To me for troubleshooting issues, it is sufficient to see the usernames and sometimes extract a password, but I do not 
need a list of them
For security awareness, you do not need the passwords, just the protocol and username and the fact that the password is 
available in the pcap file
For hacking you would want to have the full list, but then I would prefer people to use other available tools to keep 
Wireshark on the friendly side of the line.

What use-case do you see for a list of all passwords (where a list of just the usernames is not enough)?

> Just my €0,02
>
> Taken ;).

Make sure to collect them at a next Sharkfest ;-)

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe