l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 15: Scratch: programming for children and other not-yet-programmers
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2002 Aug 24 13:37

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Website Passwords
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Website Passwords



On Sat, 24 Aug 2002, Robert G. Scofield wrote:
> I subscribe to an expensive web based research program for my business.  I 
> start the program by typing a password on a webpage.  When I type the 
> password, asterisks are echoed back to represent the characters of the 
> password.
> 
> Here's my question.  If I use this service where the public has access to the 
> webpage; say the U.C.Davis Law Library, can someone get into someplace like 
> the browser cache and retrieve the password?  In other words, how secure is 
> the password (after I log off and leave) in computers to which the public has 
> access?
> 
> Thank you.

Anything[1] is possible.

[1] within limits ;-)

This depends upon the browser and how it decides to handle your
authentiation. MSIE allows for "AutoComplete" so that it will fill in
usernames, passwords, addresses, phone numbers, etc for you. If
autocomplete is enabled without your knowledge, then users using this
machine after you may be able to visit your content without knowing your
password. This information will be filled in for them when they look at
the same auth page you examined.

I dont know how autocomplete stores its data on disk, but since it is a
MicrosSoft product, I would not be surprised if it was plaintext, in the
registry, or using an 31337 Double-XOR encryption scheme (same key). They
may have sense enough to encrypt it in some way, but their history of
"encryption" for security has not been too good.

Even if they do not, autocomplete would fill it in for them, and there
have been tools for windows which allows you to highlight the asterisks
for password fiels in web browsers and see the plain-text versions
anyway.

This is just info for MSIE. Each browser can do its own thing. It is best
to not access content requiring authentication from public machines unless
you dont mind others looking at it and having the same control as your
used authentication has. Even if the admins of the public machines do not
install any trojan software to steal usernames/passwords or watch users in
sessions, there is no guarantee that another person broke the system
security and installed one.

When you use an untrusted system to enter personal or private data, you
are actually choosing to "trust an untrusted system" thus making the
untrusted system a kind of "de facto" trusted system by action.

related personal note:

I give users access to store data using WebDAV and the whole "Internet
Folders" thing and have done quite a bit to help offer lots of security. I
tell them it is more secure to not use public machines, as they may be
trojaned and their username/password to write files may be stolen. I also
tell them, that their content is insuylated enough to make the only thing
at risk (AFAIK) their content, so they will likely be the only looses of
data of they should be unfortunate in their system authentication. They
are only permitted to export content as they are not allowed to use SSI,
CGI, or any server processing. (Server enforced.) Even if a rogue user
gets their account, they can only read/write/erase their data, and with
all else, should not be able to harm my stuff.

Your web content may be more exposed. If you can install scripts for the
server to run, then a would be attacker could leverage your access to
attack the system through the same script access you have.

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.