Passwords Can Sit on Hard Disks for Years

CygnusXII writes ""As people spend more time on the web and hackers become more sophisticated, the dangers of storing personal information on computers are growing by the day, security experts say. There are some obvious safeguards, such as never allowing your computer to store your passwords. But even that is no guarantee of security." "

P2P

[Anonymous Coward]

It's amazing how easy it is to find people's password files shared on P2P apps like DirectConnect, Gnutella, etc. There's everything - Total Commander (FTP), WS FTP, mail clients, you just have to search for the proper file name.

Passwords can sit anywhere for years

[ciroknight]

I've still got a three year old password on a postit note on the side of my monitor. It just goes to show you that passwords can sit anywhere.

The real question is, if a password's that old, what use SHOULD it still have? Hopefully, people adopt policies where they update passwords every month, or few months, especially if it's dealing with anything financial/uber personal (doctor's records.. etc).

Get real, stop trying to scare us with your security warnings; just educate people to change their passwords.

This seems more in the Hype threads

[Ironstud]

Passwords have been on hard drives for many many years. No matter if you are using M$ operating system or a linux there are passwords on the machine. If people don't know how to protect their computers than many they should just give their ATM card password to the public domain.

of course, I've used the same password for years..

[rickthewizkid]

... and nobody's figured it out yet. I actually use several passwords, depending on the level of security. The "lowest" password, "password", is used for signing up to things like mailing lists, etc where there's little chance of me returning. The mid-level password, a pair of words with numbers in them, is used for mid-level security, such as my email, etc. The highest level password, a random collection of numbers, letters, and symbols, is used for the most secure information, such as my bank account, slashdot login and my pr0n encryption key.

Now if I could only remember the combination to my safe.....

Just my 46fctfj6&*23's worth....
-Rick the WizKid
(oooops...)

all you can do is be careful

[LBArrettAnderson]

There's no way to be 100% secure with passwords and the likes, but there are some things everyone should do. 1.) don't have the same password for everything! The website admins to every site you use a password for have access to it (and no one can trust a slashdot editor!). 2.) change your password often. The more often the better. This won't always work since most people, when they get a password, will do their damage immediately... but you never know. Another advantage here is OLD websites that you visitted a long time ago may change and new administrators will have access to your password.

pretty redundant stuff, but good advice that most people are too lazy to follow.

whats new

[Anonymous Coward]

This is as old as de first computer with a password.
The security of youre personal information (credit card number, password etc...) lies with the companies storing them.

We all know that hackers aquire passwords by hacking company's data bases. Until company's use stingent privacy and security procedures and implementnations the world wide web remain's a wild west show.

Greetings,
Lord Flashheart.

Stupid

[barcodez]

I've always found it stupid that you can log on to a windows domain without being connected to the network assuming you have sucessfully logged onto the domain with that machine.

I'm assuming that a windows machine keeps a copy of every username and a passord hash (NTLM?) used to log in to any domain locally somewhere on the harddrive.

That is scary news really especially in hotdesk/shared desktop environments.

Isn't there something along the lines of "Client side security is no security at all" in Microsofts security axioms. Can't even follow their own standards.

I can't quite see the point

[arevos]

Correct me if I'm wrong, but if an attacker has the permissions to trawl through the swap, then couldn't they just insert a keylogger, instead? That seems to be considerably simpler, to me.

I suppose there's an argument about someone getting the passwords off old machines that have been thrown out. But even then, surely any respectable business will use some software to scrub out all the last traces of sensitive data on any hard drives they're dumping.

An encrypted hard drive wouldn't protect against a key logger. It would protect sensitive data against physical theft, I suppose. But I wouldn't call that "hacking".

Re:Mac OS X and Pastor

[andy55]

...must...not...feed....the trolls.....

...breaking down....

There is still a security risk. What if someone gets you Pasotr password. Then they can have them all.

You must be new here. You can *always* use that argument. Someone can *always* install a key recorder or watch you type in your password. Security is about raising barriers, not about thinking/searching for somthing that will solve the impossible.

Holy Crap!

[uncledrax]

["Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive."]
In fact.. such operating systems are DESIGNED to write to the hard disk..
(like someone said above.. someone just discovered the swap/page file)

I think the author needed to be alittle more articulate with the wording.

But which is more likely...

[laigle]

That a hacker will necromance your password off the hard drive, or that you'll get a keylogging spyware installation? To avoid the first you need to never store your password, to avoid the second you need to always store it. Sure, we could all go to scratch pads couple with retinal scans, but nobody's going to pay for that infrastructure.

Bottom line, patch your software, get a firewall, be carfeul about opening email, don't use IE or Outlook, and do virus/spyware scans regularly. You'll be safe from all but the most determined hackers, and they don't care about your password.

Re:Hehe

[Mortoc]

The fact that a password can sit on a hard drive is really irrevelent. If someone has access to your hard drive, they might as well just set up a keylogger and wait till you access a bank account or something, that would be much easier than wading through hundreds of megabytes of swap. This security hole is almost completely irrevelent, the only time that I would worry about something like that is when throwing away a a computer (which should be recycled anyway). Someone interested enough could go through your trash, removed an old hard drive and start snooping around.

Re:Repairs

[Reziac]

I've had people ask me what I do about the fact that I can see all my clients' sensitive data (and in some cases have their backup archives stored on one of my everyday work machines):

Even tho in the course of sorting out a mess, I may need to use your passwords and look through your files, the *content* goes in one eyeball and out the other. I just don't CARE what's on your hard disk. Your personal life isn't that interesting. I have a million files and passwords and accounts of my own; I don't need to be burdened with yours.

And I think you'll find that's the attitude any mature tech has. It's pimply kids still at the "overly curious" phase of life (or people who never matured beyond the snoopy stage) who will root through your data just because they CAN.

Trouble is, you don't always have control over who works on your machine. And no amount of privacy laws or industry guarantees can stop some kid from snooping when no one is looking.

Re:Mac OS X and Pastor

[at_kernel_99]

There is still a risk. The whole point of the article was that when memory is cached on disk, it is accessable from disk for an indeterminate period of time - possibly years before its overwritten. So when your Pastor program un-obfuscates your data, where is it? In RAM? In cleartext? Maybe Mac's don't have this problem (though I doubt it).

Re:Rubbish!

[julesh]

Operating systems such as Windows and Linux have no facility for stopping data being written to the hard drive.

That's a flat out lie.

$ man mlock

MLOCK(2) Linux Programmer's Manual MLOCK(2)

NAME

mlock - disable paging for some parts of memory

Indeed, and under Windows (quoted from msdn.microsoft.com):

The VirtualLock function enables a process to lock one or more pages of committed memory into physical memory (RAM), preventing the system from swapping the pages out to the paging file.

Re:Hehe

[Gr8Apes]

Flamebait? Give me a break. Obviously a MS Fanboy.

Don't assume incompetence. Sometimes, portions of the registry just become unrecoverable and unrepairable, through no fault of anyone other than MS. Yes, I'm aware that there's a way to completely back them up and replace them, but sometimes, that's moot when the initial backup is already corrupted. With a good initial hardware/software setup and proper precautions, I too can run a system for years and years, and never have it degrade. (Ran a datacenter for about 4 years) Still, this doesn't address the fragility of MS OSes. Oh, and I have a 95 system that's been up since 96. Big deal.

Re:No Guarantee of Security?!?!

[LookSharp]

Of course, you could always use Knoppix or something similar whenever buying on-line. This would also solve the problem for the truly paranoid.

Of course, because everyone knows that retailers all use crackerjack security and are completely impenetrable by malicious forces. :)

(Everyone always forgets that these are two-party-- or more-- transactions.)

Re:I think maybe it can

[Quelain]

There was an Amiga virus which could survive in RAM for a few minutes with power off. I forget what it was called, but on power on it would laugh at you and refuse to let you boot anything else :)

Even if your standard RAM didn't have any chance of storing recoverable data, I'd bet any spooks worth their salt would do it anyway. There always the chance someone could have substituted in some flash-ram backed 'custom' jobbies.