RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2

• To: paulle@microsoft.com
• Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
• From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
• Date: Thu, 21 Dec 95 10:21:40 +0100
• Cc: www-security@ns2.rutgers.edu

Paul Leach <paulle@microsoft.com>:
> The authentication information that is saved to the hard drive (in the
> user's personal Password List) is encrypted with the user's login
> password. (To be more precise, the user's login password is used to
> generate a key, with which all the other passwords are encrypted. This 
> key used to be too short (32 bits), so we've made available a 128 bit 
> version -- see http://www.windows.microsoft.com/windows/software/mspwlupd.htm)

First you should mention that the content of .PWL files is breakable
within seconds (don't have a pointer by hand).

Second there are concerns about how getting 128 _random_ Bits out of
a users password.

Third none AFAIK kas publically reviewed the new encryption algorithm.

not very good...

read you later  -  Holger Reif
http://remus.prakinf.tu-ilmenau.de/Reif/

• Previous: Re: caching protected documents
• Next: Re: caching protected documents
• Index(es):
  • Index
  • Thread