New Tool Reveals Internet Passwords

wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."

Prettier Tool, Old Exploit

[eldavojohn]

This tool appears to just be a well written exploit targeting not just IE but a number of other Microsoft products. I assume it relies on the "Remember my password" functionality in order to get the password. If the browsers are caching passwords without your consent, they are worthless. I know of generalized tools that will do this for any site you remember a password for: IE PassView, Google Chrome Pass, Messanger Key for instant messengers and even Password Fox.

When you click "remember my password" the browser stores it in a semi-obfuscated way. Yes, it encrypts it but it must also put the key it uses to encrypt your password on your hard drive somewhere. Since your browser is not also a rootkit, any application you run on your box can access everything your browser can write. Therefore you need only spend the time to figure out where the encryption key is being stored and what kind of encryption the browser is employing to encrypt your password. When your mail client or chat client are remembering your passwords, it's no different. We could have a lengthy debate about whether 'remember your password' should be allowed but apparently the majority of users are okay with it considering the convenience it grants them. If they use the same machine to surf malicious websites, this makes it easier for malware to steal the passwords than a complex keylogging system ... and I guess people who click "Remember this password" are just fine with that prospect.

A few simple lines of code later and you too can write your own command line password discovery tool. Slap a seksi user interface on that and apparently you can sell it for $49.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

Re:Prettier Tool, Old Exploit

[Spad]

Which is why I like Seamonkey's ability to secure the password store with a password of its own so that you're not simply relying on security through obscurity.

Re:Prettier Tool, Old Exploit

[AlexiaDeath]

msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

Re:Prettier Tool, Old Exploit

[stonewallred]

WTF!!! How did you find out my master password??!!?!?!

Re:Prettier Tool, Old Exploit

[Cryacin]

What? That's the same combination as my luggage.

Re:Prettier Tool, Old Exploit

[Voulnet]

Damn, I didn't know Kevin Mitnick started posting on Slashdot after his interview here.

Re:Prettier Tool, Old Exploit

Not to mention that for the open source browsers you can probably just look to see where it stores those keys. This is not a knock against the system, or even the approach, but just an observation.

Assuming the tool is just using the associated "Remember my password" functionality, then this is a non-story and people could get it without the tool. Heck, in Firefox, and I believe Chrome, you can view your stored passwords in plain text using the built-in password manager.

Re:Prettier Tool, Old Exploit

[TheSpoom]

Firefox doesn't even attempt to hide it: Preferences -> Security -> Saved Passwords -> Show Passwords.

Re:Prettier Tool, Old Exploit

This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password.

And this is what Windows does. The CryptProtectData API uses a key that is itself encrypted with (data derived from) the user's password. So you can only access the cached passwords if the user is logged on or you know the password.

Is that supposed to be PRAISING that boneheaded scheme?

Re:Prettier Tool, Old Exploit

Perhaps this needs a rethink on filesystem security?

I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance requirements - but at the same time it would mean that you that a developer would know exactly what version of said resources were in use, and at the same harden the system against malware. Documents would still be at risk, but applications, passwords and configuration data would be protected from interference.

The system would have to have some very strict driver models and memory management - possibly a valid use for tpm? - but in theory at least it should be workable.

Whether anyone's got the stomach for the attempt is another matter though. :S

Re:Prettier Tool, Old Exploit

[ehrichweiss]

If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

Re:Prettier Tool, Old Exploit

[TheRaven64]

On OS X, the keychain is stored encrypted. When you log in, the keychain daemon runs and, if your keychain password matches your login password, decrypts the store into RAM. Individual passwords can only be accessed by other apps via RPC to this daemon. This RPC uses Mach ports, which allow the process on the other end to be identified. Access to individual passwords must be specifically granted (on a one-off or permanent basis) to apps, although any app can access all passwords that it created. If the app binary changes, you are required to re-grant permission to it.

You don't need a new FS design for this to work, just existing IPC mechanisms.

Re:Prettier Tool, Old Exploit

[Vahokif]

My master password is ********.

Re:Prettier Tool, Old Exploit

[Yvan256]

http://bash.org/?244321.

Re:Prettier Tool, Old Exploit

[Yvanhoe]

"remember my password" can be secured by a master password. Type it once in a session to be able to login to many website. Honestly, nowadays, with 20+ websites asking silly registrations, it is either that, or use the same login/password everywhere.

Re:Prettier Tool, Old Exploit

[natehoy]

Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.

Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.

And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.

Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.

If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.

Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.

I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.

Re:Prettier Tool, Old Exploit

[sconeu]

WTF? I have the same password on my atmosphere shield!

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...

Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)

Re:Prettier Tool, Old Exploit

[hedwards]

Yes, but it would be nice if they didn't default to saving form information and asking you if you want to save password on every single site.

Re:Prettier Tool, Old Exploit

[Cato]

You could also look at LastPass - http://lastpass.com/ - which works very well across Windows/Mac/Linux, Firefox, Chrome, Safari, etc, and on many mobile phones as well. Quite well designed and mature, and can be used offline though it's a browser addon, and syncs your password data to/from the cloud automatically, but also supports export to various formats if the cloud goes away. Now has a feature to manage non-browser passwords as well.

Re:Prettier Tool, Old Exploit

[bheerssen]

12345? That's amazing! I've got the same combination on my luggage...

Re:Prettier Tool, Old Exploit

[macshome]

Apple offers the Keychain APIs for secure storage of identity items as well.

Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

Re:Prettier Tool, Old Exploit

[Sulphur]

Thank you for pressing the self destruct button.

Re:Prettier Tool, Old Exploit

[PincushionMan]

All I see is hunter2

Re:Prettier Tool, Old Exploit

[ShadowRangerRIT]

Eh. Defaulting to a more usable but less secure state is standard practice for anyone that wants to sell software to consumer. If you care about it, it's trivial to fix:

• Tools->Options->Privacy->Select "Use custom settings for history"->Uncheck "Remember Search and Form History"
• Tools->Options->Security->Uncheck "Remember passwords for sites"

My girlfriend does it first thing after installing Firefox on every machine she's ever owned (and she's not particularly computer savvy; she's a science nerd, not a computer geek). Of course, she makes up for the added security of not saving those fields by using the same password everywhere, so it's not exactly an improvement.

Re:Prettier Tool, Old Exploit

[JustOK]

Mr. Balmer?

Re:Prettier Tool, Old Exploit

[JustOK]

You keep going on and on about people going on and on about something. That's funny.

Re:Prettier Tool, Old Exploit

[wkcole]

Apple offers the Keychain APIs for secure storage of identity items as well. Using this a browser can store what it needs in a secure way. Access to each and every item is controlled by ACLs that you can tweak to your heart's content.

And we all know that with the excellent security synergy between users and application developers, the result of having freely tweakable security settings that default to moderate strength inevitably tends towards most users finding their own optimal balance of security and convenience that never leaves anyone at significant risk.

What, you haven't noticed that? I'm SHOCKED!

Snark aside: YES, Apple provides a strong toolkit and default behaviors (in Safari and elsewhere) that set a reasonably secure norm for MacOS apps. However, it is important to keep in mind that legitimate users are ultimately the weak point in any security model that involves them. Apple has done well with the MacOS Keychain and securityd, but in a reality-based context, "doing well" means that they have chosen a default compromise between convenience and security that is neither trivially weak (the MS problem) or strong enough that most users effectively switch it off (the Mozilla problem.) Any generally tolerable password/identity/authentication management system that addresses the multiple-password problem is a security compromise per se. The real trick is not making it tweakable, but making it discourage/resist user and developer tweaking that turns "compromise" into "gaping open hole." One can make the Keychain and securityd a gaping open hole or an infuriating nuisance, but it isn't particularly easy to do either.

Re:Prettier Tool, Old Exploit

[shnull]

dam' refinement of technology ... in meeehehey days, tools wudnt that darn complicated and specific, they just revealed all windows passwords ...

Re:Prettier Tool, Old Exploit

[turnkey-web]

This is nothing new with Microsoft! People will hack their code at every opportunity and they know it. This gives them an excuse to release an even more secure program year after year! Am i the only one who thinks this? Mobile phone lasts 2 years max... why? because they want you to buy a new one! Windows gets so hacked and unusable within 2 years... again why? so they can bring out a new version.. just about every product on the market is like this because if not they have no repeat business which means no business at all. rant over! good luck in securing your data, i expect this task is impossible. If someone really wants to trawl through your emails sifting through the thousands of spam we all receive they are going to do it no matter how much money or time you invest in trying to secure it.

Slashvertisment if EVER I saw one.

[richy+freeway]

None of this is new or amazing, I honestly can't believe something as basic as this would make front page news on /.

Check out http://www.nirsoft.net/utils/#password_utils for password recovery tools, for free, that have been available for ages.

Re:Slashvertisment if EVER I saw one.

[Xacid]

Or even Cain

Re:Slashvertisment if EVER I saw one.

[richy+freeway]

And you run this tool from the article where? On your cellphone?

My point is valid and still stands. The tools I linked to are EXACTLY the same.

Re:Slashvertisment if EVER I saw one.

[ehrichweiss]

You definitely didn't RTFA, or understand the summary. It's a locally run program that reveals passwords for the sites you visit to the person who runs the program.

Re:Slashvertisment if EVER I saw one.

[olderchurch]

Nowhere in TFA it says anything about an expoit that reveals your password to a website you visit. It mentions that it reveals passwords that are cached. From the FTA:

The password breaker gives users the ability to instantly retrieve the login and password information to a variety of resources such as those routinely cached by Web browsers. The tool can quickly recover cached logins and passwords to Web sites, including pre-filled forms and auto-complete information stored in the Internet Explorer cache. In addition, the tool makes it possible to instantly replace or reset IE Content Advisor passwords.

Re:Slashvertisment if EVER I saw one.

[richy+freeway]

Explain to me what you think TFA is on about then. From what I've seen so far, you've missed the point completely. What do you think cached passwords are?

Re:Slashvertisment if EVER I saw one.

[Stunning+Tard]

This exploit reveals your passwords to a website that you visit (although I have not RTFA), which is a bit different.

The slashvertized tool does not send passwords to a website. It reveals passwords to you when you run the tool locally. This is not news.

At the risk of putting this company out of business here's a 'cracker' for passwords stored by most browsers.

Re:Slashvertisment if EVER I saw one.

[ZyBex]

The OP is actually agreeing with you, dude. Read again.

I agree, this is nothing new. Nirsoft tools are great, I've been using them for ages. Time to make a donation.

New? I don't think so.

[jack2000]

This isn't new by any foxnews stretch of the word.

vs OS X keychain?

[AHuxley]

How safe is OS X and its keychain tech?
Is it also $49 safe? Thanks

Re:vs OS X keychain?

[kybred]

From Wikipedia Apple Keychain

The default keychain file is the login keychain, typically opened on login by the user's login password (although the password for this keychain can instead be different from a user’s login password, adding security at the expense of some convenience).

...

The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the password is encrypted and it is encrypted with Triple DES.

Title is Inaccurate

[Cytlid]

It should read "New Tool Reveals Windows Passwords".

Re:Title is Inaccurate

[AHuxley]

Yes it seems if you use Linux or Mac, your MS web mail should be safe.

Re:Title is Inaccurate

[dyingtolive]

Oh god, I'm so relieved. For a moment I was afraid someone got the password to the internet!

Actually, to be honest, when I first saw the headline, I thought to myself, "When asked to stop revealing people's passwords, the tool put his oakleys on, popped his collar, and then nah "Nah, bro," before walking away.

Bah...

[PmanAce]

I am invincible, I use Chrome...

Re:Bah...

[wkeri11a]

LOL..nice but you're comment makes a good point - this little article mentions only IE. Does that mean browsers like Firefox (my choice), Chrome, Safari are immune. All of them have remember my password functionality but somehow does it better/different? I assume this since no one so far has written, "Sweet Jesus we're DOOMED!", that IE is the only exploited platform with this software?

Re:Bah...

[Spad]

No. Your saved browser passwords are only secure if the browser provides (properly implemented) password protection for the saved passwords.

i.e. The passwords are encrypted with a key, which is encrypted with a password that the browser requires you to enter before it will allow access to your saved passwords.

Heh

[Pojut]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.

Ah, memories...

Re:Heh

wtf? I almost have the exact same story...

Re:Heh

[ninja59]

right, your Angelfire web site in the middle of the night. (a light fappish sound in background)

Re:Heh

[6Yankee]

My mother went for the low-tech solution to keeping my brother and I off the internet when she wasn't around - taking the power cord to the PC with her.

Suffice to say, they don't call them kettle cords for nothing ;)

Re:Heh

[hellop2]

You mean Snadboy's Revelation http://www.snadboy.com/

Re:Heh

[PacketShaper]

A pubescent youth gets the keys to the internet and he spends his time late at night....working on an Angelfire webpage?

What kind of mutant alien monster are you??

Re:Heh

[Pojut]

The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

Re:Heh

[Pojut]

It's been a long time, but I'm 99.9% sure that was it!

Re:Heh

[Thuktun]

This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.

In that version of Windows, a password edit control just had a password style set on it and you could effectively disable that with some simple Windows API calls. Worse, you could just WM_GETTEXT and get the password out in plaintext without changing the style.

Re:Heh

[glwtta]

working on my Angelfire web page

That's an odd way to misspell "masturbating furiously".

Re:Heh

[Bing+Tsher+E]

Years ago I once lost the password for my dial-up internet, and it was easier to make a 'modem tap' to recover it than it was to dig into the binaries and extract the encrypted password from the dialup networking glop I used back then. I just soldered on a third 'listen only' tap connector on my modem cable and intercepted the password as it was sent out to the modem.

Re:Heh

[b4dc0d3r]

It's specific to versioned windows, you have to update the address of USER32.ValidateHwnd, and it probably does not work with ASLR type protection. But it worked with XP.
<code>

#include "stdafx.h"

int ReadOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
{
unsigned long pid;
HANDLE process;

GetWindowThreadProcessId ( hwnd, &pid );
process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|
PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid);

DWORD dwread;

ReadProcessMemory ( process, address, buf, len, &dwread);

CloseHandle(process);

return dwread;
}

int WriteOtherProcess (HWND hwnd, void *address, void *buf, unsigned len)
{
unsigned long pid;
HANDLE process;

GetWindowThreadProcessId ( hwnd, &pid );
process = OpenProcess (PROCESS_VM_OPERATION|PROCESS_VM_READ|
PROCESS_VM_WRITE|PROCESS_QUERY_INFORMATION, FALSE, pid);

DWORD dwread;

WriteProcessMemory ( process, address, buf, len, &dwread);

CloseHandle(process);

return dwread;
}

FARPROC GetValidateHwnd(void)
{
// Since ValidateHwnd() is not an export, we have to hard-code some stuff here
static FARPROC ret = NULL;

if (ret == NULL)
{
HMODULE user32 = GetModuleHandle("user32.dll");
if (user32)
{
// TranslateMessageEx and DefWindowProcA are on either side of ValidateHwnd()
FARPROC tmex = GetProcAddress (user32, "TranslateMessageEx");
FARPROC dwpa = GetProcAddress (user32, "DefWindowProcA");

// W2k SP4 ver 5.0.2195.7017 // (380,688 bytes)
if (tmex == (FARPROC) 0x77E14000 && dwpa == (FARPROC) 0x77E14754)
ret = (FARPROC) 0x77E14301;
}
}

if (ret == NULL)
{
// TODO: crib the address from other procs (see XREF for calls from ProcName+4)
// most proces which take HWND as first param use a mov ECX and call ValidateHwnd
// mov ECX will always be the same opcodes, call will be E8 + offset to ValidateHwnd
// GetProcAddress, make sure *ADDR = 0x04244c8b, next byte is E8,
// and add the next offset to ADDR
/*
.text:77E14754 public DefWindowProcA
.text:77E14754 mov ecx, [esp+hWnd]
.text:77E14758 call ValidateHwnd

.text:77E15ABC ; BOOL __stdcall UpdateWindow(HWND hWnd)
.text:77E15ABC mov ecx, [esp+hWnd]
.text:77E15AC0 call ValidateHwnd

.text:77E15B7A ; BOOL __stdcall GetClientRect(HWND hWnd,LPRECT lpRect)
.text:77E15B7A mov

Sigh.

[Spyware23]

This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

Re:Sigh.

[Hijacked+Public]

Tip: A large number of stories on Slashdot are product placement. It has been this way since, to my recollection, the series of stories on They Might be Giants. It was probably going on before that and I just didn't recognize. Those seemed like the first slashvertisements that made no real effort to disguise themselves.

Slashdot is good for its user submitted content. There are still some really good, really informative discussions going on involving people who really know the subjects, that can't be found anywhere else. If slashvertising like this is necessary to subsidize those discussions I think it is worth the trouble.

Re:Sigh.

[The+Car]

Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.

In their defense, the core logic is written in C#.

Re:Sigh.

[interval1066]

Yeah, this really isn't anything new or newsworthy; that some Russian web site is charging $50 to give you already existing tools in a nice package; now that's news!

Re:Sigh.

[hedwards]

No it's not, what's news is that they then take your credit information and completely empty the bank accounts associated with it.

Re:Sigh.

[hadesan]

It's a CmdrTaco post - did you expect anything less (or actually more)?

Passwords

[Rik+Sweeney]

And it's for this reason that I write all my passwords down on the back of my hand.

I've already addressed the problem of them washing off by using using permanent marker. And not bathing.

Re:Passwords

[robot256]

It's okay, because he changes his password every two weeks when the ink fades and writes the new one down on top of it. Right?

Which is this?

[tverbeek]

Is this an alert or an advert? ;)

Re:Which is this?

[Spad]

An Adlert?

Re:Which is this?

[acoustix]

Ask your doctor if Adlert is right for you.

Nice. I appreciated that.

Re:Well, ok

[gardyloo]

That would be an interesting question, if you didn't actually mean affect.

Re:Well, ok

[prionic6]

I think it effected his post.

Solve the problem

[L4t3r4lu5]

Use Keypass

Re:Solve the problem

[L4t3r4lu5]

Further, "CmdrTaco! Look out! kdawson has stolen your password using this tool and is posting inflammatory and poorly researched crap using your account!"

Re: Interface

[TaoPhoenix]

I wanna see the Skeksi interface!

The Dark Crystal (1982)
http://www.imdb.com/title/tt0083791/plotsummary

Firefox password security

[bartwol]

Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

Here are some more details about how Firefox stores passwords.

Site seems to be down

[__aavqan3009]

Site seems to be down

I'm glad they finally figured this out.

[hilather]

I was beginning to think IE cache was unbreakable...

Re:I'm glad they finally figured this out.

[caekys]

I was beginning to think IE cache was unbreakable...

How does one break something that is already broken? Naw, just kidding.

New Tool Reveals Internet Passwords

[burgessms]

all your password belong to us

PR

[internetdarwin]

This whole thing reads like a press release for a new product: "With a price tag of just $49..." As has already mentioned, this is not really newsworthy, old tech in a new box.

and it doesnt work with LINUX?!?!?!

[Razgorov+Prikazka]

I am outraged! Why doesn't this work on Linux?
Its always the same... people think that FOSS is not that important blablabla...

</tong-in-cheek>

"Remember my password" is inherently insecure.

[efalk]

Any "remember my password" feature in any app is inherently insecure.

Whenever I write such a feature, I encrypt the saved password, but I understand that this will only defeat wannabe crackers whose level of sophistication is limited to running strings on cache files. Any cracker worth their salt will reverse-engineer the encryption used by the app.

It's for this reason that I never enable "remember my password" where important passwords are involved.

No that is incorrect

[Sycraft-fu]

Windows passwords are stored using non-reversible encryption be default. For Vista and 7, they are stored only using the HTLMv2 hash by default, which is extremely secure. For XP passwords under 14 characters it does store the LM has as well by default, which can generally be cracked with only a little effort as it is not secure.

What this tool does is reveal saved passwords in programs. That is not hard to do. Any password you save for a remote system must, by definition, be stored using some sort of reversible encryption. Doesn't matter what the software is, you can recover a saved password like that. It can be obfuscated, but not hidden. You can, of course, encrypt the entire password store with a password itself, but if you just have a password saved to auto log in to something with no user intervention, it must be saved using something that the program can reverse.

So sorry, this isn't some massive Windows flaw, much though you might want it to be.

Depends

[Sycraft-fu]

Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt the other passwords with strong encryption. The only way to get at them is to find out the password that is encrypting them.

So if you want the convenience of entering no password, which it just remembers your stuff and never asks you, no, sorry, there is no way to make that secure from another program on your system. However if you have lots of passwords and can't remember all of them and just want to remember one, then a program that uses a master password to encrypt the others will keep them secure, if the master is a good password.

1995 wants its news back

[ajv]

Yawn. LSA secrets aren't particularly.

Why not write stories about those who build things rather than give valuable Slashdot electrons to breaking stuff? Boring.

My wife needs a tool like this.

[s_p_oneil]

My wife needs a tool like this. She can never remember her passwords.