New Tool Reveals Internet Passwords 140
wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."
Title is Inaccurate (Score:5, Informative)
Re:Prettier Tool, Old Exploit (Score:5, Informative)
Re:Prettier Tool, Old Exploit (Score:3, Informative)
Re:Prettier Tool, Old Exploit (Score:3, Informative)
If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.
Firefox password security (Score:4, Informative)
Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.
Here are some more details about how Firefox stores passwords. [luxsci.com]
Re:Heh (Score:3, Informative)
The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)
Re:Prettier Tool, Old Exploit (Score:2, Informative)
Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.
Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.
And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.
Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.
If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.