[Previous] [Next] [Index]
[Thread]
RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
Does your mechanism for compromising passwords work against the fixed
password cache manager that has been posted to our web site?
Sorry for asking, its may be redundant, but i missed your messages from last
week.
-Thomas Reardon
Microsoft
----------
From: Brain21[SMTP:brain21@montag33.residence.gatech.edu]
Sent: Thursday, December 21, 1995 8:58 AM
To: Michael Brennen
Cc: Paul Leach (Xenix); www-security@ns2.rutgers.edu
Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
On Wed, 20 Dec 1995, Michael Brennen wrote:
>
> Does Win95 have a startup level password (and I don't know because I don't
> run Win95) to prevent access at all unless a valid password is entered?
>
It does for networking, but I'm not sure about standalone. Unfortunately
you can get around it by entering a bogus username and password. Now
Win95 has different desktops for different users, so logging in as
"bogus" w/ a passwd of "1234," for example, will not get you the same
desktop environment as Joe (Company) Owner, but as usual, you can access
any file from the file manager, you can also get a copy of their desktop
configuration file and copy it w/ your name on it so that when you log in
the next time you *will* get the same desktop as Joe Owner. Also,
passwords can be compromised via a method that I posted to this list last
week.
A better bet would be a CMOS password on bootup. This can be bypassed by
two ways - removing the machines battery for a few seconds, or by readily
available tools that will crack the password. Still enough to keep
honest people honest, so to speak.
Brain21