[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dvd-discuss] Fwd: Bush taps Clarke as CyberdefenseChief



On Thu, Oct 11, 2001 at 07:53:59PM -0700, D. C. Sessions wrote:
> > > Microsoft Passport stores login and password information in plain
> > > text on the user's hard drive.
> > 
> > Plain text?  Somehow I had missed hearing that
> > about Passport (I had heard other problems).  
> > 
> > I can't believe that MSoft messed up to >that<
> > extent!
> 
> After a bit of further research, it seems that it's stored encrypted
> but passed through the APIs in clear.

not to mention that all of M$'s encrypted password systems so far have
been plaintext equivalent systems. that means if you have the encrypted
string, you can pose as the user in question, without decrypting it.
this is different from, for example, unix crypt or md5 passwords where
knowing the encrypted string buys you nothing.

-- 
-- http://web.lemuria.org
--