Friday, July 07, 2006

How not to protect passwords in software...

I'm told that one company's networking software from a long time ago had a bug just like this one. They used a very advanced "change password" algorithm, the details of which are not important. The design was that only heavily encrypted data was transmitted on the wire. That way, somebody who sat on the network and captured packets wouldn't see anything of value. Except that they had a bug in their client: When it sent the encrypted password to the server, it forgot to null out the unused bytes in the "change password" packet. And in those unused bytes were, you guessed it, a copy of the password in plain text.

The Old New Thing : Security: Don't forget to initialize the stuff you don't care about

No comments: