[Previous] [Next] [Index]
[Thread]
RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
Paul Leach <paulle@microsoft.com>:
> The authentication information that is saved to the hard drive (in the
> user's personal Password List) is encrypted with the user's login
> password. (To be more precise, the user's login password is used to
> generate a key, with which all the other passwords are encrypted. This
> key used to be too short (32 bits), so we've made available a 128 bit
> version -- see http://www.windows.microsoft.com/windows/software/mspwlupd.htm)
First you should mention that the content of .PWL files is breakable
within seconds (don't have a pointer by hand).
Second there are concerns about how getting 128 _random_ Bits out of
a users password.
Third none AFAIK kas publically reviewed the new encryption algorithm.
not very good...
read you later - Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/