Re: AutoCompete stored passwords encrypted but with what?
- From: "Gruzin" <mikhael@xxxxxxxxx>
- Date: 21 Feb 2006 15:47:31 -0800
Alan-
You present a valid question. I'm a firm believer there is no
security through obscurity. IE AutoComplete or any system is not
secure just because people are not aware of the mechanism that is used
to hide information. For instance IE could just do something simple
like XOR a static value with passwords all the time, on all browsers
(since the IE code is hidden no ones knows). I highly doubt they
actually do this. However if one day a clever hacker or researcher
found out that static value (all browsers would be vulnerable--a
massive problem). The question comes down to do you trust Microsoft or
would you rather know the algorithm they use and feel confident using
it when saving passwords in IE. In cryptography Kerckoff's law states
that the security of a system should only be dependant on the key, not
the algorithm. Hence I only want to know what they are using to be
assured it's secure, and not just buy MSDN or TechNET words about the
information being encrypted. To answer the first part of the question,
sometimes the system bases cryptographic key on the complexity of the
password--so if you choose a password like "hello", it generates a
weaker symmetric key than if you chose "kR&3`?*)+#".
.
- Follow-Ups:
- Re: AutoCompete stored passwords encrypted but with what?
- From: Gary Smith
- Re: AutoCompete stored passwords encrypted but with what?
- References:
- Prev by Date: IE6 - vertical scroll bar missing
- Next by Date: Re: Error message when I try to send an email
- Previous by thread: Re: AutoCompete stored passwords encrypted but with what?
- Next by thread: Re: AutoCompete stored passwords encrypted but with what?
- Index(es):
Relevant Pages
|
