To Cache or Not to Cache??

[tonybradley]

Windows offers you the option to store your password for various sign-on or login screens. In general this is frowned upon by Security Admins because if I sit down at one of those computers I can log on as that person without needing the password because Windows already knows the password for me. Users like it because its hard to remember 43 different passwords, especially if the Admin has enforced strong passwords and they can't use their dog's name or their son's birthday as their password.

I agree completely with the idea that it is insecure if a 3rd-party can sit at your computer and gain access to things they are not authorized for. However, using stored passwords means that you can't be shoulder-surfed- nobody can watch to see you type the password because you won't be typing it. It also means that someone doing keystroke logging using a Trojan horse or a product like EBlaster won't be able to get your passwords because you won't be typing them. An additional "feature" is that using stored passwords means its less liekly that users will have them written down on a piece of paper in their desk drawer or on a sticky note attached to the monitor.

I am doing a review of EBlaster for an article and I started playing around with its functions and it occurred to me that using cached or stored passwords may offer advantages. The physical security of your computer may play into which is better- in other words yuo have to determine which is more likely to occur- someone will sit down at your computer and use your stored passwords against you, or someone will get a Trojan horse or keystroke logging program on your computer.

So, here is my question- where are the stored passwords stored? Is / are the file or files easy to find? Are they encrypted or protected? Could someone with remote access easily get the file and crack it with LC4 or something like that?

If the files are easily found and cracked then someone with remote access could still get your passwords, but someone who was simply doing keystroke logging still wouldn't get them.

Thoughts?

[ChrisWuk]

Some very good points there, but you can disable the auto complete functions and password storage options, which i do at home. I use a 3rd party piece of software (www.historykill.com), but im sure you can do it via windows or IE (if appropriate).

I think that places where people are around you or you have a public access computer (work, library etc), you may as well tell every1 your usernames and passwords if this function is turned on (although some sites have increased security if you use a public computer), but at home where nobody uses the computer but you, it does help, even if it is out of lazyness

All in all its just a case of weighing up the pro's and cons and your systems vunerabilites before you decide on what to do !!

ps. Tony take a look at this beauty

http://www.realrecorder.net/realspy/

[Vigge]

Side note:
The reason I dont use cached password is because of tools like this:
http://www.iopus.com/password_recovery.htm

[phishphreek]

Stored passwords can be kept all over the place... it just depends on which application.

A freeware version of what Vigge mentioned is available here.

If you are using the windows autologin... the username and password are both stored in clear text in the registry...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

There are keys in there that will tell you what the username and password are.

also... check out this from sans.org As a matter of fact... I think you'll find this VERY intersting...

[bballad]

I would worry about the security of whatever was caching my password...i doubt MS uses strong encryption for your saved password ..I have a feeling that they are probably in plain text some where....but if its stored locally on the machine, well its not that hard to make sure none sits down at your machine and uses it, so the cached password wouldn't be that bad.

Example, at my office every one has a laptop, the laptop bay it sits in has a locking door, so if we don’t take our laptop with us, the system is physically locked away.

[slarty]

I think you've got to put this into perspective:

1. Passwords stored by IE are for external services. They're obviously known by the service providers (who are not terribly trusted) and are sometimes sent in the clear. There may be some passwords for important things though.

If something is sufficiently important, they should use a challenge / response (enter the 1st and 3rd digit of your pin) or physical token (securID etc)

2. If you are worried about someone getting into your machine when your back is turned, either you have a lot of very untrusted people in your department, or you aren't locking your screen when you should.

3. If someone *did* get access to the console when you were logged on, even briefly, they could pop a keylogger on there in a few seconds, which would defeat all the measures above.

4. If someone got physical access to the machine in your absence (presumably when you weren't logged on), they could still plant a keylogger easily and undetectably.

[hatebreed2000]

i would say a big negative to cacheing passwordsbut if you insist on doing so i would check out this prog http://appstraka.hypermart.net/ And if your of the mind like I am that its a bad idea then check out this one http://www.surfsecret.com/ it deletes any passwords that may be stored on your computer, and I do mean any.

[eXterNaLity]

yeah i agree with you hatebreed nice result

[tamariki]

This tweak take some beating
http://www.winguides.com/registry/display.php/629/