Passwords Can Sit on Hard Disks for Years

CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "

No Guarantee of Security?!?!

[Paulrothrock]

Run for the hills! There's no guarantee of security! Everyone stop using your computers right now!

Re:No Guarantee of Security?!?!

[harrkev]

Of course there is a guarantee...

Just buy a boatload of ram and disable virtual memory. Problem solved.

Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.

Re:No Guarantee of Security?!?!

[Lehk228]

Knoppix doesn't touch the hard drive at all, that is the whole point of a live CD, so no it doesn't use any swap

Re:No Guarantee of Security?!?!

[harrkev]

Actually, you only need to overwrite once to make it invisible to the computer over the IDE cable.

There ARE methods to get data off of a hard drive platter that has been overwritten only once, but this requires the hard drive to be removed from the computer and physicly disassembled, and is quite expensive.

Re:No Guarantee of Security?!?!

[LookSharp]

Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.

Of course, because everyone knows that retailers all use crackerjack security and are completely impenetrable by malicious forces. :)

(Everyone always forgets that these are two-party-- or more-- transactions.)

Yikes!

[mogrinz]

I've got to stop using c:\windows as my password!

Re:Yikes!

[kunudo]

Yes, change it to c:/windows... Then no one will be able to guess it.

Hehe

[mgs1000]

It looks like some reporter just discovered the page file. :)

Re:Hehe

[Reziac]

That was my thought too...

Back in the Win3.1x era, when the typical swapfile was still small enough to peruse with a hex editor, I cruised through my permanent swapfile with LIST, just to see what was being dumped out of RAM. I found data in there that was identifiably over 3 years old. And therein, I also found some passwords archived -- as plaintext.

Not to mention logfiles; I have some that stretch back several years, and I'm sure I'm not alone.

So I don't find this exactly "news" either. Then again, I could turn this into a rant on the "expertise" of the typical tech journalist... (one of my PC maintenance clients is one. Regular exposure has given me a complete lack of respect for the breed.)

Re:Hehe

[Jokkey]

The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."

Re:Hehe

[Reziac]

Nah, reinstalling is just a sign of incompetence at dealing with Windows. And I mean that seriously. On average it takes Win32 about 3 years of average-user neglect and outright abuse to get to the point where it's nonfunctional, and even then it's recoverable with simple maintenance procedures.

As a SOHO tech, my job is not just to get the machine working, but also to get it to the state the client expects it to be in -- with all his apps and data intact (whether he has a good backup or not). I've only had to reinstall Windows *once*, and that was due to AOL5 FUBAR'ing both DUN and the entire WinEx/IE setup -- on a system that had gone five years with a PEBKAC owner and ZERO maintenance. I find it is faster and easier to resurrect the system than to hope to find all the body parts (apps, data, passwords, settings, CD keys, etc, etc.) and reinstall them where someone else expects them to be.

Of course, this is why my clients won't let anyone else touch their PCs, either :)

My own everyday setups date back to 1998 (Win95), 2001 (Win98), 1999 (WinME -- hasn't crashed since Sept.99, and this is a test box!!), 2002 (XP Pro). Plus I have a couple part-time-use Win95 machines that date back to '95 and '96. And my Win16 setup (1994) was finally retired at 7 years old. All are original installs and all work their asses off. -- I hadn't looked in WFWG's swapfile in some time, but it's a safe bet that if I inspect the CD where it's archived, I'll find data in the perserved swapfile that is now over 10 years old.

Re:Hehe

[Mortoc]

The fact that a password can sit on a hard drive is really irrevelent. If someone has access to your hard drive, they might as well just set up a keylogger and wait till you access a bank account or something, that would be much easier than wading through hundreds of megabytes of swap. This security hole is almost completely irrevelent, the only time that I would worry about something like that is when throwing away a a computer (which should be recycled anyway). Someone interested enough could go through your trash, removed an old hard drive and start snooping around.

Re:Hehe

[operagost]

Too bad he didn't discover the setting in Windows XP that clears the pagefile on shutdown. Instead, he plays programmer and suggests that only a few measly lines of code will fix the problem; and no one will mind the huge performance hit because computers are so fast already.

Even if you aren't running Windows, other OSes like OS/2 will recreate a fresh pagefile on every boot.

Re:Hehe

[Reziac]

No, I'm not a M$ fanboy. You'll see me bitch about their business practices, and sometimes about their software, as often as anyone here -- you want to see software flamed to a crisp, get me started on M$Office! and just wait til I catch up with the idiot who thought "browser as your desktop" was such a great idea, or the moron who didn't fully test the .MSI installer on Win98. And as to M$ getting in bed with DRM/media... that's why I keep hoping for a *NIX desktop I can next-gen my clients to, but so far it hasn't happened.

But in my experience, whining about *Windows* instability is based more in ignorance, and failing to consider the influence of bad hardware, than in objective reality. Considering all the random shit hardware people use, the ill-mannered software that abounds these days (most no longer bothers to clean up after itself, but rather expects Windows to do it for 'em), and the ignorance of average users, Windows gracefully absorbs a helluva lot of abuse. Yeah, it's possible to mangle the registry, but that's actually pretty rare; I've not seen it happen in years. And yeah, there are security holes and stupid default settings, but that's hardly unique to Windows (see the concurrent /. article about the router! talk about a field where they should know better!!)

I also have a Mandrake box, and while I generally like it well enough (tho I view BSD as more mature than linux), I do find it a whole lot easier to confuse or crash. Lordy, the lockup I get if I accidentally feed it a bad CDR!! Have to power down to get the CDROM drive back.

Re:Hehe

[lone_marauder]

IOW, tho the security issue exists, it's not exactly something to lose sleep over -- because if someone wants to compromise your security, why not get current data right from today's data input, instead of possibly-obsolete data of unknown relevance!

Because that Asian rape spam that popped up into your preview pane 2 years ago may not be a daily occurence. The FBI loves pulling up ancient JPG fragments from swap in their ongoing efforts to protect children.

Despite what you may have heard, the legality of pornography is of no relevance to prosecutors and judges; the first time the question of age comes up with regard to the subject of any particular photograph is when the jury is looking at poster size blowups of whatever they scraped off your hard drive.

To prevent fascism (or at least thwart it), do the following. Set the not-commonly-known "clear swapfile at shutdown" windows registry key:
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown to 1
Wipe your empty space and slack space regularly with something like eraser. (Interestingly, I don't know of a way to accomplish these things when using Linux as a desktop OS. If anyone knows of a way to clear the swap partition on shutdown or to clear not only free space on the hard drive, but also cluster tips (file slack), please let me know.) When finished using a hard drive, or any time you have cause to format it, boot up to rescue mode from any Linux distro's boot CD and dd if=/dev/zero of=/dev/hda (or whatever device your hard drive happens to be).

I have had access to the tools the bad guys (FBI, et. al.) use to extract evidence from your hard drive, and have seen that these procedures work brilliantly. Of course, I've also seen prosecutors derive character witness testimony from the very fact of using a program like eraser (only bad guys know this much about how to hide computer evidence!), so YMMV.

If you don't happen to live in the United States, treasure your freedom and fight to protect it.

Zero the data

[Lord+Grey]

One way to achieve this is for all data in RAM to be automatically turned into a string of zeros once it is finished with - something he [Tal Garfinkel] says could be done with just a few extra lines of code in application programs.

My company worked on a project a few years ago that required this very thing. It wasn't just passwords, though: The customer demanded that all data passing through the applications be wiped as soon as possible.

The project was written in C++. We started out using a custom string class that performed its own memory management (with zeroing the buffer on deallocation), but then promptly ran into problems with the STL. We wound up writing a memory allocator that also cleans up after itself. Those two solutions took care of the vast majority of the data leakage "problem" -- the only thing left was reinitializing stack variables within functions.

Perhaps the ultimate solution would be to encrypt data as it is entered, before it is saved into RAM, and arrange for programs that use it to decrypt it first.

The same customer actually requested this first. The problems associated with it were were terrible, especially in a multithreaded application. Plus, performance basically sucked. Wiping the data afterwards seemed to have the same end result, the performance was still good, and the customer was happy.

BTW, the memory allocator and string class both made their way into the company's downloadable core library (MIT license).

Re:Zero the data

[Lord+Grey]

Can you really be sure that the data is wiped? What if the memory is swapped to a page file or swap partition, later swapped back into memory and then you only erase what's in the RAM?

You can either lock the RAM page so it doesn't swap, or force the page to write back out to swap after zeroing. The former is far easier (unless you want to do a lot of painful coding) and, if I remember correctly, was what was done with the project I talked about. I don't think the page locking/unlocking made it into the downloadable library, though.

Safe passwords?

[belgar]

Computers not secure? What a relief all my passwords are on stickies stuck to my monitor. I'm set!

Well, we can always do like in MacGyver

[192939495969798999]

My favorite MacGyver episodes were the ones where he used fingerprinting dust to read the numbers on a keypad. Of course, anyone using the keypad for a password is only going to press the keys involved in the password.

The most dangerous thing to security is people. Why go routing around on a hard drive when you can just ask someone what the password is, and they'll probably tell you anyways?

Re:Well, we can always do like in MacGyver

[paiste404]

dont question the macgyver. this is the same man who once picked an electronic lock with half-full wine glasses and a canary. you will accept the macgyver and you'll like it.

Ultimate solution

[desplesda]

Let's just do a brain scan of everyone. I mean, you can forge fingerprints, voice prints, etc, but you can't beat a mind probe!

Untrue

[frs_rbl]

Passwords don't sit on hard disks. It's more like under mouse pads

talk about hacker sophistication...

P2P

It's amazing how easy it is to find people's password files shared on P2P apps like DirectConnect, Gnutella, etc. There's everything - Total Commander (FTP), WS FTP, mail clients, you just have to search for the proper file name.

Sir?

[The+Ultimate+Fartkno]

I'd really like to sell you my old computer since this is a yard sale and all, but I see that you're wearing a mask, carrying a saber, and have a black hat on that says "l33t h4x0r!" I can't help but think that you might somehow be up to some nefarious shenanigans!

of course, I've used the same password for years..

[rickthewizkid]

... and nobody's figured it out yet. I actually use several passwords, depending on the level of security. The "lowest" password, "password", is used for signing up to things like mailing lists, etc where there's little chance of me returning. The mid-level password, a pair of words with numbers in them, is used for mid-level security, such as my email, etc. The highest level password, a random collection of numbers, letters, and symbols, is used for the most secure information, such as my bank account, slashdot login and my pr0n encryption key.

Now if I could only remember the combination to my safe.....

Just my 46fctfj6&*23's worth....
-Rick the WizKid
(oooops...)

Mac OS X and Pastor

[andy55]

Ah, funny this story was posted--I just had to address this issue the other day. I run Mac OS X and I happened to be doing a fresh install, moving all my data over from an old HD. Before this, I had always stored my slew of account info in a text file in an obscure and unlabeled file (I know, I know--very careless of me--that's way I was ready to change my ways!).

Mac OS X's built-in "Keychain" services/util isn't streamlined for repeated user use, not to mention it doesn't have several auxiliary/free-form fields (that are also fully encrypted with the password field). After some research and trying a few of the freeware and shareware apps out there, I came across Pastor, a freeware, super-lightweight and user-friendly app that basically lets you maintain a catalog of username, pass, and about 6 auxiliary fields, stored in an encrypted file (when you go to open a file, it prompts you for the password and decodes it on the fly). If for some reason you don't dig this particular app, there's a couple others like it as well with increasingly levels of features (I happen to prefer lightweight).

So I went w/ this model and it's had great payoffs--when I need a particular login, I click on an alias to my main password (Pastor) file, enter the file's password to decrypt it, look for what I need (it alphabetizes), and I'm all set--meanwhile, there's absolutely no risk of security--I love it.

all you can do is be careful

[LBArrettAnderson]

There's no way to be 100% secure with passwords and the likes, but there are some things everyone should do. 1.) don't have the same password for everything! The website admins to every site you use a password for have access to it (and no one can trust a slashdot editor!). 2.) change your password often. The more often the better. This won't always work since most people, when they get a password, will do their damage immediately... but you never know. Another advantage here is OLD websites that you visitted a long time ago may change and new administrators will have access to your password.

pretty redundant stuff, but good advice that most people are too lazy to follow.

Just zero the pagefile

[diamondsw]

Just put your swap on another partition and zero it every so often (any way to do this automatically during shutdown, after VM is suspended?) - that takes care of your passwords in memory. As for programs that store them on disk, they better be encrypted, ala Apple's Keychain.

Self-Expiring Password Hardware

[Nuclear+Elephant]

Store all your passwords on a burned CD, that way they'll have a shelf-life of 3-5 years tops.

Hard disks? This article is about RAM.

[Audigy]

and I did RTFA, and realize they're talking about the swap file... ...but I have 1.5GB of RAM, and I have a 20MB swap file that's overwritten each time I reboot my PC.

Most Windows systems use the default setting for virtual memory, which is "windows managed" -- which means it's overwritten each time the system is rebooted. What's the big deal?

Has anyone here actually hex edited a swap file before? How is the data actually stored? For the reasons mentioned in the article, I imagine it would at least... not store data transmitted via SSL in plain text (why the heck would form data stick around in RAM anyway?)

Sounds like a neat project for after work today. :)

Whew

[thedillybar]

And everyone laughed at me when I put 2GB of RAM in my computer, allocated 1GB as a RAM disk, and pulled the harddrive out. None of those security issues here!

Repairs

[pubjames]

One thing that worries me is sending machines away to get repaired.

I have a Sony Vaio laptop which I had to send to be repaired. I phoned the support number to tell them I was going to take the hard disc out before sending it. They said that if I did I would be charged for a new hard disc (at a hugely inflated price) and they wouldn't repair it without one.

I once sent a PC for repair and the teenage dork who repaired it actually said I had some great games on my machine and that he had played them. In another case in the UK, some padeophile was caught (was it Garry Glitter?) when he sent his PC in for repair. Now, I'm all for catching kiddie fiddlers, but that is not the way to do it.

I don't want the repair staff looking through the stuff on my hard disc. There should be a standard industry guarantee that this won't happen, or a privacy law about it or something.

Re:Repairs

[Woy]

I have a computer services company, and a client of ours, a lawyer, never ever lets his computer out of his office. All repairs, no matter what, are done in his office, under his scrutiny. He has no problems paying for it, he says he is required by law (we are in Spain) to be sure that his clients' data is safe at all times. There just isn't another option.

Re:Repairs

[harrkev]

Maybe a removable hard drive would be much easier on the wallet. Keep the programs/OS on the computer's hard drive, but all client data can be kept on an external firewire/USB hard drive. You can even buy two and copy one to the other once a week or so for backup. All for under $100 (if you shop around).

Encrypt your disk

[PSUspud]

When I read the headline, I was alarmed. But
then I read the article, and all my worries went away.
I encrypt my swap partition, and that fixes the problem.

It's not hard, and since it's swap (i.e., data
you don't need for very long), you don't even need
to remember a password (your computer uses a random
one every time is sets up the swap). Really, it's
pretty easy -- see the HOWTO at http://www.tldp.org/HOWTO/Disk-Encryption-HOWTO/
and keep your goatsex links and pictures confidential.

Find them using Kazaa

[Drunken_Jackass]

You'd be amazed what you can find on Kazaa when you search for documents with password or resume or account as the keyword. People don't realize that you don't need to be a hacker to break into your machine - just someone with access to the folder you share on and P2P network...which, if it happens to be your My Documents folder....look out.

OpenBSD

[GlobalEcho]

OpenBSD encrypts the swap space by default, specifically to avoid these problems. I would hazard a guess somebody has hacked Linux to do the same, but I haven't seen it.

Of course, if you have so much RAM that you never swap, this is less of an issue.

Re:OpenBSD

[Big+Jason]

Umm, no.

vm.swapencrypt.enable is set to 0 (zero) by default, take a look at your /etc/sysctl.conf

Protective measures

[Woogiemonger]

Some basic tips that not enough people know, in no particular order:

1. Make sure you have a firewall configured to allow incoming connections from only ports you need open. You might be able to do just fine with no incoming connections allowed at all.
2. Have an updated virus checker.. Norton or Mcafee. By updated, I mean having it auto-update for you. Have it check every file accessed on media accessed by the computer, and email. At the very least, all the incoming media and email should be scanned on the fly, but outgoing is a good idea too.
3. Use Spybot or Ad Aware at least once a month to scan for spyware. Also keep these updated. I forget if they auto-update, but just be sure it checks for updates before you run them.
4. Only use credit cards that keep you free of liability for any fraud.
5. Buy a separate unnetworked little organizer with a keyboard to store hints to remember your passwords. Don't store the actual password.
6. Cancel credit cards you don't use.
7. Photocopy the backs and fronts of all the credit/debit cards you use and whatever else you keep in your wallet. Write in the customer service phone numbers if they're not clear.
8. Have Windows auto-update and auto-install all critical patches, or keep your Linux distro updated.
9. Don't open email attachments that you have no reason to trust, and certainly not until you have antivirus software checking incoming emails.

Re:Protective measures

[evilviper]

4. Only use credit cards that keep you free of liability for any fraud.

Despite the FUD TV ads the credit-card companies want you to believe, THERE ARE NO OTHER KINDS OF CREDIT CARDS IN THE USA. It is federal law that you cannot be held liable for unauthorized charges on your credit card. Actually, I believe you may be required to pay up to $50, but that is really a trivial ammount.

So, don't believe the hype.

Eraser will help

[stecoop]

Go download Eraser. It will erase empty space and swap files using DoD mil quality and even higher. It will erase empty space on your drive while you sleeping swiping it clean of bits 32 times over. On shutdown it will erase the swap file with the same quality. You can also get the source code and make it better if you want.

I have mine run once a week. I'm more concerned of my hard drive failing having to returning it under warranty and someone else receiving that drive they could then retrieve my data.

Rubbish!

[arvindn]

Article says:

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

MLOCK(2) Linux Programmer's Manual MLOCK(2)

NAME

mlock - disable paging for some parts of memory

SYNOPSIS

#include

int mlock(const void *addr, size_t len);

DESCRIPTION

mlock disables paging for the memory in the range starting at addr with length len bytes.

OpenSSH uses paging protection. It also zeroes out the password in memory. Immediately upon hashing it. I've seen the code.

Authors are at Stanford? Paper at USENIX? Can't believe this shit.

Re:Rubbish!

[julesh]

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

MLOCK(2) Linux Programmer's Manual MLOCK(2)

NAME

mlock - disable paging for some parts of memory

Indeed, and under Windows (quoted from msdn.microsoft.com):

The VirtualLock function enables a process to lock one or more pages of committed memory into physical memory (RAM), preventing the system from swapping the pages out to the paging file.

Re:Rubbish!

[evilviper]

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

And if I remember correctly, you need root access to use mlock(). Now then, how do you feel about running Mozilla/Firefox as root? Mozilla and any other applications you might possibly type a password into... GPG has the same issue: http://www.gnupg.org/documentation/faqs.html#q6.1



Meanwhile, for quite some time, OpenBSD has had the "swapencrypt" sysctl option, which causes everything swapped to disk to be encrypted with a random key that is stored only temporarily in RAM, never on disk... thereby taking away any possibility of getting usable data out of the swap partition.

For more info: click here.

My Security Tips

[Waffle+Iron]

Here are a few security tips that I use to help keep my passwords secure:

• Don't impress your passwords into soft clay tablets then bake them and leave them in the ruins of your civilization.
• Never glaze your passwords onto pottery. Even breaking the pottery into shards is not a secure way to dispose of them.
• Do not write your passwords onto parchment then leave them rolled up in caves in a desert environment.
• Remember, security through obscurity doesn't work. Even if you keep your passwords in a totally hidden chamber under thousands of tons of stone, determined hackers will still be able to find them.

Re:Hackers?

[cuzality]

"...and hackers become more sophisticated..."

...and WHO become more sophisticated?

FAR more sophisticated in my estimation -- haven't you read where they even order their pizza and have it sent right to their parents' basement without ever having left the comfort of the '#'?

Next they'll be relieving themselves by HTTP POST transaction...

Even the fathers never saw these days...

Re:Cleaning hard disks of passwords etc

[evilviper]

2) To delete things properly, turn off paging and disk caching, reboot,

And unless you have massive ammounts of RAM, your system will refuse to do anything...

I turned off the swaping on a Windows 2000 system that had 256MB of RAM, and rebooted, only to find that I couldn't do anything at all. The system started-up, but no programs could be opened. I could even get to the command-prompt, or the control panel to turn the page-file back on. Result, one completely destroyed and unsavable Windows system.

Don't recomend doing things that you've never done yourself and/or don't know enough of the details about how it works...