Re: Passwords

From: Dave White (nospam_at_spam.com)
Date: 12/18/03

• Next message: TObject: "Strange Behavior of Characters on XP"
• Previous message: Nick Hodges (TeamB): "Re: Any news on SP for Delphi7?"
• In reply to: Ben Hochstrasser [FF]: "Re: Passwords"
• Next in thread: Phillip H. Blanton [CsTeam]: "Re: Passwords"
• Reply: Phillip H. Blanton [CsTeam]: "Re: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 18 Dec 2003 14:22:55 -0600

"Ben Hochstrasser [FF]" <bhoc@tiscali123^H^H^H.ch> wrote in message
news:Xns9455CF4D2A749bhoc@207.105.83.66...
> GenJerDan wrote:
>
> > Can Mozilla do it? Or is it just a case of encrypting the password you
> > supply and comparing it to the encrypted version in the Registry, then
> > saying yea or nay?
>
> Challenge/response won't do here - after all the password has to be sent
to
> the pop server in clear text.
> I suspect the hext thingy is some offset within a different registry
value.

Not necesarilly. My guess is that the value in the registry is probably
some kind of one way hash of the plaintext password. Although the password
is stored encrypted on the users system, he needs to enter the password in
plaintext in order to use the system. This plaintext version can then be
hashed, and compared to the value in the registry. If the hashes match, the
plaintext version that the user entered can be sent to the POP server.

Does the OP use Outlook Express's option to Save password? If not, then the
system will only need to store a hashed value for validation with the
plaintext entered version. If the user IS storing the password, it would be
my guess that this is then stored in two places - once as a one way hashed
version, and a second time in either plaintext, or in an de-encryptable
version. I vaguely remember a warning from Microsoft that if you use the
Save Password option that the data is stored in an insecure format on the
system.

Dave White

• Next message: TObject: "Strange Behavior of Characters on XP"
• Previous message: Nick Hodges (TeamB): "Re: Any news on SP for Delphi7?"
• In reply to: Ben Hochstrasser [FF]: "Re: Passwords"
• Next in thread: Phillip H. Blanton [CsTeam]: "Re: Passwords"
• Reply: Phillip H. Blanton [CsTeam]: "Re: Passwords"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages RE: PGP scripting... ... no matter your key size (if the encrypting key is known; ... >> for encryption of bulk data. ... it is referring to the actual plaintext (subject to any ... beyond brute-force viability with current hardware, ... (SecProg) Re: cryptanalyzing bitwise tramps? ... plaintext bit vector, and M is a NxN binary ... the N^2 unknowns, ... You can attack each of the ... For example, encrypting ASCII ... (sci.crypt) Re: SPES (my new encryption) one of its kind ... the first step into encrypting any thing in my ... |> system is to encrypt it with AES first ... | contents and the length of the plaintext itself ... Middle finger poised over the plonk button... ... (sci.crypt) Re: manual cryptography ... >> encrypting a message without spending more than a minute per letter ... > Have you considered Vigenere's original autokey cipher? ... Add the plaintext letter values to the corresponding key ... > letter values mod 26 to get the ciphertext letter values. ... (sci.crypt)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint