[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Micro$oft and Java
On Thu, 7 Dec 1995, Joel McNamara wrote:
> I was at the Microsoft presentation. Crypto-relevant info:
>
> A patch will be published in the next few days to address the weak .PWL
> encryption. I got a rather lame excuse about how the encryption was first
> implemented in 1991, and how it was sufficient then. They will supposedly
> be changing the seed.
I do believe the word "lame" is in order, yes.
Microsoft has issued a public statement on the "issue" at
http://www.microsoft.com/windows/pr/password.htm
As usual, the inaccuracies begin with the first sentence. Password caching
is not optional. It is on by default. Instructions for turning it off are
not even included with the floppy disk or OEM versions of Win95, and
they're not easy to find in the Resource Kit help file on the install CD,
which is neither installed nor referenced by default.
Some rather astute people spent days looking for a way to disable password
caching, and they couldn't find it. Their messages are on my list archive.
There is currently *no way* for the administrator of a public Windows 95
lab to have any confidence that password caching has been turned off. All
it takes is one malicious user -- or one innocent user who wants to
disable system policies for other reasons -- and all passwords used from
that machine are compromised.
We started whining about this on November 1; see
gopher://quixote.stanford.edu/1m/win95netbugs.
-rich