New Tool Reveals Internet Passwords 140
wiredmikey writes "A new password cracking tool released today instantly reveals cached passwords to websites in Microsoft Internet Explorer, and mailbox and identity passwords in all versions of Microsoft Outlook Express, Outlook, Windows Mail, and Windows Live Mail."
Slashvertisment if EVER I saw one. (Score:5, Interesting)
Check out http://www.nirsoft.net/utils/#password_utils [nirsoft.net] for password recovery tools, for free, that have been available for ages.
Heh (Score:5, Interesting)
This reminds me of a tool I used back in the day called "Revelation". You loaded it up, clicked on the "target" icon, then clicked on a password field that was blocked with asterisks instead of displaying the password. The "hidden" password would appear in the "Revelation" box, allowing you to see what it was.
This was how I discovered the password for our dial-up internet back when I was in middle school in the mid-90's. My mom entered the password, and usually waited until it connected...but one time she slipped up, and left before it connected. I hit "cancel", and sure enough the password was still there, just blocked by asterisks. Thanks to "Revelation", I got it and was able to log in during the middle of the night, chatting it up on Yahoo and working on my Angelfire web page.
Ah, memories...
Sigh. (Score:5, Interesting)
This isn't anything like Cain & Abel or 1000+ other tools did before for OVER TEN FSCKING YEARS. If slashdot ever posts "news" from sites like securityweek again I might cancel my newsletter subscription. Tip: security knowledge comes from security related blogs/forums (ie. hackers), not "news" websites which place more product placement than news.
Requesting delete because that VB.NET tool doesn't deserve the bandwidth it will cost.
Re:Prettier Tool, Old Exploit (Score:1, Interesting)
Perhaps this needs a rethink on filesystem security?
I'm thinking a desktop OS wherein each application is assigned a directory/folder on installation, and is only able to access its own folder a per user generic 'documents' folder, and a per user, application specific configuration folder. There'd be some costs to that - developers would have to compile against APIs and libraries rather than importing them in from the system at runtime. This would make individual programs larger and increase maintenance requirements - but at the same time it would mean that you that a developer would know exactly what version of said resources were in use, and at the same harden the system against malware. Documents would still be at risk, but applications, passwords and configuration data would be protected from interference.
The system would have to have some very strict driver models and memory management - possibly a valid use for tpm? - but in theory at least it should be workable.
Whether anyone's got the stomach for the attempt is another matter though. :S
Re:Prettier Tool, Old Exploit (Score:4, Interesting)
Well, the Windows scheme only protects your password from malicious software if you never log in at all; once you're logged in any program can pull the passwords, even if you never load the browser. Firefox can only give up master password protected passwords if you launch the browser and provide the master password. And an extension exists to configure the Firefox password manager to "forget" the master password (which is never actually stored, but you know what I mean) after a few minutes, limiting the window of vulnerability further.
Beyond that, if you've got truly malicious software actively running on your computer at all times (not just some website that gets brief read access through an exploit), you're hosed no matter what. Even if you never use a password manager, they can read the password as you type it into the browser; it might take more time than decrypting a password store and forwarding the data in bulk, but it's just as effective over the long haul. It's a trade off between window of vulnerability, scale of breach, and hassle. No manager at all is a hassle (to remember all usernames and passwords), but it's the most secure, since you can only lose one password at a time, with narrow windows of vulnerability. Password managers mean the scale of breach potential increases (you can lose them all at once). Firefox with a master password narrows the window of vulnerability relative to IE, and the extension that re-locks the store narrows it further, at the cost of needing to remember and type the password store password.
I consider it a reasonable trade-off, given that I'm not going to remember the user name and password for every site I visit. Even if I wanted to use the same one everywhere (and I don't, because then one site breach means I lose everything), differing username and password requirements make that impossible, and frankly, my memory isn't good enough to track login info for fifty odd websites, including a dozen I visit only once or twice a year.
Re:Prettier Tool, Old Exploit (Score:5, Interesting)
Which is why I didn't belabor it, or introduce it out of context. I was pointing out that Firefox's scheme is only as secure as the master password you choose. The particular bad password I chose for the Spaceballs reference on the hope that it might get a chuckle or trigger a brief moment of pleasant nostalgia, forgetting that on /., every joke must be beaten to death and explained, rehashed, insulted, re-explained by someone who thinks the insult came due to unfamiliarity, etc., until all traces of humor vanish. Oh well...
Hmm... This is an old story, so this probably won't receive any mods, but I have no idea what I'd mod it if I were moderating. Flamebait/Insightful/Funny/Interesting/Off-topic maybe? Mods, if you can coordinate to apply each of those once, it would be awesome (and I'd end up with overall neutral Karma!). :-)
Depends (Score:3, Interesting)
Anything that just stores passwords for automatic login, and doesn't require any user interaction, is not secure from something like this. Reason is if a program, like say Thunderbird, can get your e-mail password to hand off to the server, well then another program can too. It is stored in some easily reversible form. However, if the program itself needs a password to access the password store, then it should be secure provided a good password is used. The reason is that it uses that password to encrypt the other passwords with strong encryption. The only way to get at them is to find out the password that is encrypting them.
So if you want the convenience of entering no password, which it just remembers your stuff and never asks you, no, sorry, there is no way to make that secure from another program on your system. However if you have lots of passwords and can't remember all of them and just want to remember one, then a program that uses a master password to encrypt the others will keep them secure, if the master is a good password.