Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Internet Explorer Windows

New Tool Reveals Internet Passwords 140

Posted by CmdrTaco from the change-early-change-often dept.
wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."
This discussion has been archived. No new comments can be posted.

New Tool Reveals Internet Passwords More

New Tool Reveals Internet Passwords

Comments Filter:

  • Title is Inaccurate (Score:5, Informative)

    by Cytlid ( 95255 ) on Thursday July 01, 2010 @09:21AM (#32755968)
    It should read "New Tool Reveals Windows Passwords".

  • Re:Prettier Tool, Old Exploit (Score:5, Informative)

    by ShadowRangerRIT ( 1301549 ) on Thursday July 01, 2010 @09:26AM (#32756028)
    This is of course why Firefox (and I presume a few other browsers) have the option to protect your password cache with a master password. Instead of remembering every single user name and password, you can store them all behind encryption, but the key for this encryption is in your head, not the disk. Obviously still open to exploits if you're infected (pop up a fake window requesting the master password, hook the browser itself and read the keystrokes passed to it, etc.), but virtually any exploit that can grab the master password could grab the real passwords anyway, so the distinction is trivial. As long as your master password isn't "12345" of course.

  • Re:Prettier Tool, Old Exploit (Score:3, Informative)

    by AlexiaDeath ( 1616055 ) on Thursday July 01, 2010 @09:27AM (#32756040)
    msgshit.com - interesting domain name. Deliberate, it seems. 5pts. All your cached passwords are readable. They have to be to be used. Duh! Nobody caching their passwords should be surprised by that...

  • Re:Prettier Tool, Old Exploit (Score:3, Informative)

    by ehrichweiss ( 706417 ) * on Thursday July 01, 2010 @09:52AM (#32756396)

    If you assign a master password that changes for you a bit; it won't show them without you entering the master password, twice IIRC.

  • Firefox password security (Score:4, Informative)

    by bartwol ( 117819 ) on Thursday July 01, 2010 @09:57AM (#32756484)

    Firefox offers an option to use a [user-supplied] master password to encrypt/decrypt password data. If a Firefox user enables that functionality, then Firefox would not [by my guess] be vulnerable to an exploit strategy such as the one employed by this cracking product (which relies on rule-based keys instead of a user-supplied key). Firefox passwords may, however, be vulnerable to other cracking strategies.

    Here are some more details about how Firefox stores passwords. [luxsci.com]

  • Re:Heh (Score:3, Informative)

    by Pojut ( 1027544 ) on Thursday July 01, 2010 @10:33AM (#32757012) Homepage

    The kind who had found his step-dad's "collection", and didn't need crappy mid-90's Internet video for his fapping ;-)

  • Re:Prettier Tool, Old Exploit (Score:2, Informative)

    by natehoy ( 1608657 ) on Thursday July 01, 2010 @10:53AM (#32757354) Journal

    Except the first time you want to access the password store in each session, you present your password that "unlocks" the password store, then THAT password is persisted for the remainder of the session. So, either way, if you visit a malicious website the chances are your password store is in a vulnerable state (the password store is open for business, and the password is available somewhere). In both the Seamonkey/Firefox and Microsoft cases, the password store is vulnerable once it's logged in. The only difference is that in the Microsoft case, you're always logged in. In the Seamonkey/Firefox case, you're only logged in after you've entered the password to access the password store, which is probably "only" 99% of the time you surf the Web, but at least the password store is pretty secure if you're not running your browser at all, or haven't used the password store yet for that session.

    Of course, the alternative is use the password just long enough to perform the requested operation, then forget it. That means, though, that you'd have to ask for the security password every time a site wants to retrieve a password from the store or the user wants to add or update a password in the store. Then people would just remove the password, because that would be a pain. Think Vista/7 UAC popups that each need a password, or sudo/su in Linux, but every time you want to use a stored password in your browser. Most people would tolerate that for about as long as it takes to remove the password.

    And, if you don't bother putting a password on it (Firefox leaves the password off by default, and I don't know anyone else who actually uses it), then Firefox is just as vulnerable as the Microsoft exploit.

    Yes, the tool is AVAILABLE, but the benefits it offers are somewhat marginal and it's not the default setting.

    If you want passwords stored and entered automatically, then the passwords are no longer under your control to enter manually and there's going to be a way for them to be read once you make them conveniently available. By all means, use the password store (and the password that protects it, please!) for things like your Slashdot account, etc. Just for the love of [insert deity of choice] DON'T use it for passwords like your bank account or credit cards.

Slashdot Top Deals

They are relatively good but absolutely terrible. -- Alan Kay, commenting on Apollos

Close