The Doghouse: Internet Security Foundation

This organization wants to sell their tool to view passwords in textboxes "hidden" by asterisks on Windows. They claim it's "a glaring security hole in Microsoft Windows" and a "grave security risk." Their webpage is thick with FUD, and warns that criminals and terrorists can easily clean out your bank accounts because of this problem.

Of course the problem isn't that users type passwords into their computers. The problem is that programs don't store passwords securely. The problem is that programs pass passwords around in plaintext. The problem is that users choose lousy passwords, and then store them insecurely. The problem is that financial applications are still relying on passwords for security, rather than two-factor authentication.

But the "Internet Security Foundation" is trying to make as much noise as possible. They even have this nasty letter to Bill Gates that you can sign (36 people had signed, the last time I looked). I'm not sure what their angle is, but I don't like it.

Posted on December 13, 2004 at 1:32 PM • 13 Comments

Comments

Tim GreenDecember 13, 2004 2:08 PM

This is not a new utility. I used one to recover my mother's dial-up password in Windows 98 - the password was hidden behind the asterix and any Windows object walker and inspector could find the text box and read the true value.

benDecember 13, 2004 2:11 PM

Speaking of security... have you written anything on the effects quantum computing will have on security (specifically cryto)? I'd be interested in hearing your thoughts on this. Doesn't seem like it's too far away and, from the few books I've read, seems like it's going to force a rethink of virtually all crypto which, as far as I know (which ain't much :), is the only way to really send stuff around securily on the net.

Joe MasonDecember 13, 2004 2:59 PM

Seems like anything that draws attention to the fact that passwords aren't secure is a good thing, even if they're being clumsy about it.

MarcDecember 13, 2004 3:44 PM

Interesting that you can sign up anyone for the petition - look at entry number 6 in the signatures. I wonder if it's just coincidence that "Natalie Wood" sent in the 'real life story'.

TimDecember 13, 2004 4:36 PM

Dear God, they also post the IP addresses of everyone who posts a comment. It's like a list of all the clueless people on the internet in one place.

QuadroDecember 13, 2004 7:16 PM

Another example of bad security! Publishing the IP addresses of posters seems to just beg for hackers... So don't post if the IP addresses of the other posters are visible.

Not saying that it's bad to log IPs, to track down spammers for example. Just don't publish them! (Though I must admit, I was guilty of this in an old version of a script I wrote...)

Joe WhiteDecember 15, 2004 4:58 PM

I wrote an app to do the exact same thing, about five years ago. And it's trivial to write a program that resists this kind of casual snooping.

All it takes is to not put the actual password into the text box; put a sentinel value there instead, and watch to see if the user ever changes that value. I've run across programs that already do this. (Often you can tell -- you go back into the edit screen, and there are a different number of asterisks than there were when you saved!)

Granted, this won't make the app secure, but even if the user demands that you persist their passwords, you can still take some care.

GreenflameDecember 21, 2004 11:45 PM

I wonder why nobody breaks into Linux,and
BSD type Operating Systems anymore? it's
definitly not cause it's more secure.Writing
C code for this new Hardware is a security
risk it's self.

I think ciphering Asterisk's is a matter
of memory allocation.If you have expierence
with ASM or Embedded C you could probly make
one of these APP's.

Internet ThreatAugust 25, 2009 12:28 AM

the irony is the security tools are now being used by the crackers to leverage advantage. And how many times do you see a security consultant advise a course of action that is just the same as cracking. There is no money in being the good guy in security at the coal face, better to just respond to the problems, or comment on them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..