Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Safe Personal Computing | Main | Security Notes from All Over: Israeli Airport Security Questioning »

December 13, 2004

The Doghouse: Internet Security Foundation

This organization wants to sell their tool to view passwords in textboxes "hidden" by asterisks on Windows. They claim it's "a glaring security hole in Microsoft Windows" and a "grave security risk." Their webpage is thick with FUD, and warns that criminals and terrorists can easily clean out your bank accounts because of this problem.

Of course the problem isn't that users type passwords into their computers. The problem is that programs don't store passwords securely. The problem is that programs pass passwords around in plaintext. The problem is that users choose lousy passwords, and then store them insecurely. The problem is that financial applications are still relying on passwords for security, rather than two-factor authentication.

But the "Internet Security Foundation" is trying to make as much noise as possible. They even have this nasty letter to Bill Gates that you can sign (36 people had signed, the last time I looked). I'm not sure what their angle is, but I don't like it.

Posted on December 13, 2004 at 1:32 PM13 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Tim GreenDecember 13, 2004 2:08 PM

This is not a new utility. I used one to recover my mother's dial-up password in Windows 98 - the password was hidden behind the asterix and any Windows object walker and inspector could find the text box and read the true value.

benDecember 13, 2004 2:11 PM

Speaking of security... have you written anything on the effects quantum computing will have on security (specifically cryto)? I'd be interested in hearing your thoughts on this. Doesn't seem like it's too far away and, from the few books I've read, seems like it's going to force a rethink of virtually all crypto which, as far as I know (which ain't much :), is the only way to really send stuff around securily on the net.

Javier JaravaDecember 13, 2004 2:50 PM

Snadboy Revelation has been able to do that for ages ;)
http://www.snadboy.com/

And it's been widely publicised on forums such as the book "Hacking Exposed" (www.hackingexposed.com)

Joe MasonDecember 13, 2004 2:59 PM

Seems like anything that draws attention to the fact that passwords aren't secure is a good thing, even if they're being clumsy about it.

MarcDecember 13, 2004 3:44 PM

Interesting that you can sign up anyone for the petition - look at entry number 6 in the signatures. I wonder if it's just coincidence that "Natalie Wood" sent in the 'real life story'.

TimDecember 13, 2004 4:36 PM

Dear God, they also post the IP addresses of everyone who posts a comment. It's like a list of all the clueless people on the internet in one place.

QuadroDecember 13, 2004 7:16 PM

Another example of bad security! Publishing the IP addresses of posters seems to just beg for hackers... So don't post if the IP addresses of the other posters are visible.

Not saying that it's bad to log IPs, to track down spammers for example. Just don't publish them! (Though I must admit, I was guilty of this in an old version of a script I wrote...)

JohnDecember 13, 2004 9:51 PM

Sell? LOL You can get this as a free extension to any of the Mozilla based browsers.

RADDecember 14, 2004 8:11 AM

nice, but not interesting

Joe WhiteDecember 15, 2004 4:58 PM

I wrote an app to do the exact same thing, about five years ago. And it's trivial to write a program that resists this kind of casual snooping.

All it takes is to not put the actual password into the text box; put a sentinel value there instead, and watch to see if the user ever changes that value. I've run across programs that already do this. (Often you can tell -- you go back into the edit screen, and there are a different number of asterisks than there were when you saved!)

Granted, this won't make the app secure, but even if the user demands that you persist their passwords, you can still take some care.

GreenflameDecember 21, 2004 11:45 PM

I wonder why nobody breaks into Linux,and
BSD type Operating Systems anymore? it's
definitly not cause it's more secure.Writing
C code for this new Hardware is a security
risk it's self.

I think ciphering Asterisk's is a matter
of memory allocation.If you have expierence
with ASM or Embedded C you could probly make
one of these APP's.

Internet ThreatAugust 25, 2009 12:28 AM

the irony is the security tools are now being used by the crackers to leverage advantage. And how many times do you see a security consultant advise a course of action that is just the same as cracking. There is no money in being the good guy in security at the coal face, better to just respond to the problems, or comment on them.

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier