| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat May 6 17:41:07 2006 From: goan.rootu at gmail.com (John Doe) Subject: Windows XP Home LSA secrets storesXP loginpassphrase in plain text > You obiously didnt bother to read these part of my message: - "You can, for example, decrypt all EFS encrypted files" - "You can, for example, try that same password in all kinds of places where that users is logging in (since chances are hes using the same password or variations of it elsewhere)." You can NOT do these if you just get physical access to the computer (without this bug), since EFS remains secure and your password unknown to attacker. >Especially focus on the following I sayed: - "..The next time users sign in to the computer, their passwords etc. can be recorded and abused by villan. However, notice the words "next time users sign in"! If someone steals the computer, that doesnt happen. If someone leaves hints that system is tampered, that doesnt happen." I did read it. And I'm not belittling the fact that storing cleartext passwords is bad. As what comes to EFS, once you get hold of the administrator account, you can decrypt the EFS for _all_ users on the computer. It doesn't matter how you acquired the password. And for using the same password in "all kinds of places". How does this differ from just cracking someones password from a webportal and using that in "all kinds of places". > If someone leaves hints that system is tampered, that doesnt happen. And how will he verify the filesystem isn't tampered with? I don't think most people would immediatly wipe out the disk without logging in and trying to see if anything has happened. Or try to use a forensics cd's or the like. And if they would wipe it, they'd propably choose the same passwords again :) But yes, I do agree with you that what you uncovered is an issue, since passwords shouldn't be stored as cleartext ever. I was just stating that requiring local, physical access to the computer makes it almost unusable. Sure, there are situations where it could be used ,I'm not denying that, but with the kind of stuff that's moving on the net at the moment, this issue isn't on my critical list. Have you reported the details to M$? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060506/eed9f9a5/attachment.html
Powered by blists - more mailing lists