RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2

• To: hickey@ctron.com, jeff@netscape.com, lstein@genome.wi.mit.edu, owner-www-security@ns2.rutgers.edu
• Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
• From: Paul Leach <paulle@microsoft.com>
• Date: Tue, 19 Dec 95 15:58:36 PST
• Cc: dave.mccomb@gs.com, jcarroll@redman.canada.dg.com, tara@linkage.cpmc.columbia.edu, www-security@ns2.rutgers.edu

Message-ID: red-16-msg951219235645MTP[01.51.00]000000c4-63326

I think you have misinterpreted the implications of the dialog box you saw.

The authentication information that is saved to the hard drive (in the
user's personal Password List) is encrypted with the user's login
password. (To be more precise, the user's login password is used to
generate a key, with which all the other passwords are encrypted. This 
key used to be too short (32 bits), so we've made available a 128 bit 
version -- see http://www.windows.microsoft.com/windows/software/mspwlupd.htm)

Hence, no security relevant information is left in the clear on the
hard drive, *and* the user doesn't have to memorize their passwords. Or
worse -- often, naive users with a lot of  passwords to remember write
them down somewhere, thus exposing them to compromise.

Thus, when the user logs out, the user's password list is unavailable
to other users. In addition, Windows can be configured to require a
password to unlock the machine if it is ever left idle for more than a
few minutes, thus protecting the user even while logged in.

Paul Leach
----------
] From: Troy Denkinger  <T.Denkinger@ccmail.mi04.zds.com>
] To:  <hickey@ctron.com>;  <lstein@genome.wi.mit.edu>; Jeff
] Treuhaft  <jeff@netscape.com>
] Cc:  <www-security@ns2.rutgers.edu>;  <dave.mccomb@gs.com>;
] <jcarroll@redman.canada.dg.com>;
] <tara@linkage.cpmc.columbia.edu>
] Subject: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
] Date: Tuesday, December 19, 1995 10:18AM
]
] This is a Mime message, which your current mail reader
] may not understand. Parts of the message will appear as
] text. To process the remainder, you will need to use a Mime
] compatible mail reader. Contact your vendor for details.
]
] --IMA.Boundary.760093918
] Content-Type: text/plain; charset=US-ASCII
] Content-Transfer-Encoding: 7bit
] Content-Description: cc:Mail note part
]
] >Let me first clarify that Netscape Navigator does not save the passwords
] >used to access a protected document in any hidden files.
]
] >Second the problem you have noticed is indeed a bug in the 2.0 beta
] >versions of Netscape Navigator.
]
] This may be a bug in NS2.0 betas, but it seems to actually be a 
"feature" in the
] Microsoft Internet Explorer for Win95.  Authentication information is 
actually
] saved onto the hard drive, it appears.
]
] For instance, I have a secure area on our server.  I haven't logged 
into that
] area for weeks.  I just went there and a dialog pops up with the 
username and
] password all neatly typed in.  At least the password was *ed out.  
Furthermore,
] there's a checkbox with the option to "Save This Password In Your Password
] List."
]
] There's some security for ya.  This is with the current version of the MS
] Internet Explorer available from MS's web site.
]
] Troy Denkinger
]
]
] --IMA.Boundary.760093918--
] 

• RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
• From: Michael Brennen <mbrennen@fni.com>

• Previous: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
• Next: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Index(es):
  • Index
  • Thread