Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

Computer Security Articles

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography and Computer Security Resources

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Safe Personal Computing | Main | Security Notes from All Over: Israeli Airport Security Questioning »

December 13, 2004

The Doghouse: Internet Security Foundation

This organization wants to sell their tool to view passwords in textboxes "hidden" by asterisks on Windows. They claim it's "a glaring security hole in Microsoft Windows" and a "grave security risk." Their webpage is thick with FUD, and warns that criminals and terrorists can easily clean out your bank accounts because of this problem.

Of course the problem isn't that users type passwords into their computers. The problem is that programs don't store passwords securely. The problem is that programs pass passwords around in plaintext. The problem is that users choose lousy passwords, and then store them insecurely. The problem is that financial applications are still relying on passwords for security, rather than two-factor authentication.

But the "Internet Security Foundation" is trying to make as much noise as possible. They even have this nasty letter to Bill Gates that you can sign (36 people had signed, the last time I looked). I'm not sure what their angle is, but I don't like it.

Posted on December 13, 2004 at 1:32 PM12 CommentsView Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

This is not a new utility. I used one to recover my mother's dial-up password in Windows 98 - the password was hidden behind the asterix and any Windows object walker and inspector could find the text box and read the true value.

Posted by: Tim Green at December 13, 2004 2:08 PM

Speaking of security... have you written anything on the effects quantum computing will have on security (specifically cryto)? I'd be interested in hearing your thoughts on this. Doesn't seem like it's too far away and, from the few books I've read, seems like it's going to force a rethink of virtually all crypto which, as far as I know (which ain't much :), is the only way to really send stuff around securily on the net.

Posted by: ben at December 13, 2004 2:11 PM

Snadboy Revelation has been able to do that for ages ;)
http://www.snadboy.com/

And it's been widely publicised on forums such as the book "Hacking Exposed" (www.hackingexposed.com)

Posted by: Javier Jarava at December 13, 2004 2:50 PM

Seems like anything that draws attention to the fact that passwords aren't secure is a good thing, even if they're being clumsy about it.

Posted by: Joe Mason at December 13, 2004 2:59 PM

Interesting that you can sign up anyone for the petition - look at entry number 6 in the signatures. I wonder if it's just coincidence that "Natalie Wood" sent in the 'real life story'.

Posted by: Marc at December 13, 2004 3:44 PM

Dear God, they also post the IP addresses of everyone who posts a comment. It's like a list of all the clueless people on the internet in one place.

Posted by: Tim at December 13, 2004 4:36 PM

Another example of bad security! Publishing the IP addresses of posters seems to just beg for hackers... So don't post if the IP addresses of the other posters are visible.

Not saying that it's bad to log IPs, to track down spammers for example. Just don't publish them! (Though I must admit, I was guilty of this in an old version of a script I wrote...)

Posted by: Quadro at December 13, 2004 7:16 PM

Sell? LOL You can get this as a free extension to any of the Mozilla based browsers.

Posted by: John at December 13, 2004 9:51 PM

nice, but not interesting

Posted by: RAD at December 14, 2004 8:11 AM

I wrote an app to do the exact same thing, about five years ago. And it's trivial to write a program that resists this kind of casual snooping.

All it takes is to not put the actual password into the text box; put a sentinel value there instead, and watch to see if the user ever changes that value. I've run across programs that already do this. (Often you can tell -- you go back into the edit screen, and there are a different number of asterisks than there were when you saved!)

Granted, this won't make the app secure, but even if the user demands that you persist their passwords, you can still take some care.

Posted by: Joe White at December 15, 2004 4:58 PM

I wonder why nobody breaks into Linux,and
BSD type Operating Systems anymore? it's
definitly not cause it's more secure.Writing
C code for this new Hardware is a security
risk it's self.

I think ciphering Asterisk's is a matter
of memory allocation.If you have expierence
with ASM or Embedded C you could probly make
one of these APP's.

Posted by: Greenflame at December 21, 2004 11:45 PM

Hi there!Direct TV http://www.direct-tv-online.com

Posted by: Direct TV at December 23, 2004 9:48 AM

Post a comment



Real names aren't required, but please give us something to call you. Conversations among several people called "Anonymous" get too confusing.



E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page
100 Latest Comments

Archives

October 2008
September 2008
Complete Archive
Support Blogger's Rights!
New Book
Schneier on Security

more books by Bruce Schneier

Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more