Flutterby™! : Password Caching

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

Password Caching

2001-01-28 22:28:12+00 by ebradway 4 comments

Crikies, mate! Upon searching the registry for Bonzi dropping, I came across this key: HKEY_LOCAL_MACHINE\Software\Microsoft\General For some reason, Windows has seen fit to cache my passwords - and not just my webpage passwords. Even my ssh passwords are in there - in PLAIN TEXT!!!

[ related topics: Microsoft ]

comments in ascending chronological order (reverse):

#Comment made: 2002-02-21 05:31:02+00 by: TheSHAD0W

Microsoft is one big security hole. I thought you already knew that.

#Comment made: 2002-02-21 05:31:03+00 by: Dan Lyke

I'm the last person you'd ever expect to hear defending Microsloth, but ya know how a whole lot of Linux newbies just chmod a+w everything, or run as root, and assume that physical security of the machine will save them? Windows is that, without the option of tightening things down. Security is not an operating system, it's a way of thinking and behaving. Yes, an operating system can enable the right behavior, and Windows doesn't, but as Eric knows the hard bit about implementing security is in changing the way people think about their behavior. Yes, saving passwords in plain text in world readable place a bad idea. But if 99.44% of your users are going to write them on Post-Ittms stuck to their monitors in their cubicle then by protecting the .56% you're really not doing all that much good. It's kinda like being able to get to a machine with vital private SSH keys user accessible via an unencrypted channel. Something Eric and I have seen done by someone who should've known better (and presumably does now...).

#Comment made: 2002-02-21 05:31:03+00 by: TheSHAD0W

No, there is a difference. MS's OSes are so cumbersome in design and layout that it's practically impossible to know everything the OS is doing. You weren't aware your passwords were cached in that registry key -- how do you know for sure they aren't cached elsewhere, too? In another key or a file, obscured by encryption that is enough to keep you from searching for them but lousy enough that anyone who knows where to look can read everything? With *ix, at least there are people constantly perusing the code, looking for such little surprises.

#Comment made: 2002-02-21 05:31:03+00 by: ebradway

I think it may be time to write a service for WinX that constant scans the registry and file systems for passwords. Of course you have the dilemma of how that program stores it's search strings... I've seen folks unplug a Sun server running a CA and then extract the CA's keys from the resulting core dump. Yes, physical access is a big part of hacking and most users aren't security-aware enough to avoid problems. Fortunately, most hackers are reclusive and don't try significant social engineering.