lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 05 Aug 2005 22:01:16 -0400
From: Suramya Tomar <security@...amya.com>
To: patrick <mccpat@...il.com>
Cc: Keith Phillips <kphillips@...rdreamcorp.com>,
	bugtraq@...urityfocus.com
Subject: Re: Trillian Ver 3.1 saves password's in plain Text


Hi Patrick,

> I'd just like to add that, while it may not be relevant, but Gaim does
> the same thing (in Window$). It stores the passwords in plain text, in
> the User accounts directory (ie. c:\documents and settings\user123).
> More on that here. <http://gaim.sourceforge.net/plaintextpasswords.php>

I agree with you that gaim stores the password in plain text also but 
there are following differences that make gaim more secure than Trillian:

* Gaim by default doesn't save any password's, you have to tell it to 
save it. Trillian on the other hand saves the all password's without any 
prompting at all. (These include the AOL/Yahoo/MSN passwords)

* Trillian stores the password in the <Install 
Directory>/users/default/cache directory which is a world readable 
directory. gaim on the other hand stores it in c:\documents and 
settings\<Username>\Application Data\.gaim which is only readable by 
<username>. This somewhat limits the potential damage in gaim. (Not 
completely, but a little bit)

* The gaim developers actually tell people about this and warn the users 
about the potential dangers of saving the password's. Trillian on the 
other hand doesn't say a word about this on their site (I looked)

* You can disable the saving of password's in gaim. You can't disable 
trillian from creating the file with the password unless you stop using 
the check email function.

Thanks,
  Suramya


----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ