lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <ab62712b0605052357r245a3fdend97f1eb06274638d@mail.gmail.com>
Date: Sat May  6 17:41:07 2006
From: goan.rootu at gmail.com (John Doe)
Subject: Windows XP Home LSA secrets storesXP
	loginpassphrase in plain text

> You obiously didnt bother to read these part of my message:
- "You can, for example, decrypt all EFS encrypted files"
- "You can, for example, try that same password in all kinds
of places where that users is logging in (since chances are hes using
the same password or variations of it elsewhere)."
You can NOT do these if you just get physical access to the computer
(without this bug), since EFS remains secure and your password unknown
to attacker.

>Especially focus on the following I sayed:
- "..The next time users sign in to the computer, their passwords etc.
can be recorded and abused by villan. However, notice the words "next
time users sign in"! If someone steals the computer, that doesnt happen.
If someone leaves hints that system is tampered, that doesnt happen."

I did read it. And I'm not belittling the fact that storing cleartext
passwords
is bad. As what comes to EFS, once you get hold of the administrator
account, you can decrypt the EFS for _all_ users on the computer. It doesn't
matter how you acquired the password.
And for using the same password in "all kinds of places". How does this
differ
from just cracking someones password from a webportal and using that in
"all kinds of places".


> If someone leaves hints that system is tampered, that doesnt happen.

And how will he verify the filesystem isn't tampered with? I don't think
most
people would immediatly wipe out the disk without logging in and trying to
see
if anything has happened. Or try to use a forensics cd's or the like. And if
they
would wipe it, they'd propably choose the same passwords again :)

But yes, I do agree with you that what you uncovered is an issue, since
passwords
shouldn't be stored as cleartext ever. I was just stating that requiring
local, physical
access to the computer makes it almost unusable. Sure, there are situations
where
it could be used ,I'm not denying that, but with the kind of stuff that's
moving on the
net at the moment, this issue isn't on my critical list.

Have you reported the details to M$?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060506/eed9f9a5/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ