[Blink] Blink stores plain word passwords in its config file?
Dan Pascu
dan at ag-projects.com
Wed Nov 24 16:26:07 CET 2010
On 24 Nov 2010, at 17:18, Tomasz Muszynski wrote:
> Wiadomość napisana przez Dan Pascu w dniu 2010-11-24, o godz. 15:58:
>> On 24 Nov 2010, at 12:01, Juha Heinanen wrote:
>>> Dan Pascu writes:
>>>> It will not matter if the password is encrypted or not. All it
>>>> takes
>>>> is a print in the blink code after blink has decoded the encrypted
>>>> password. The only way to prevent this is if the password is not
>>>> stored but blink asks for it every time, so you need the actual
>>>> owner
>>>> to input it before it will be known. But even this will not
>>>> guarantee
>>>> you security, since someone may stole it while blink is already
>>>> running or may not stole your system at all, but he will just
>>>> modify
>>>> the software to log the typed password to a file.
>>>
>>> dan,
>>>
>>> looks like you didn't read my message carefully, because i tried
>>> to tell
>>> the same points. if password is not in config file, blink should
>>> ask
>>> for it each time blink starts. that would protect the password
>>> unless
>>> blink was running when the system was lost.
>>
>> Of course. Maybe I didn't convey my message clearly enough. Doing
>> this will help you in those cases but it is still powerless when
>> someone else has access to your computer and logs the password as
>> soon as you type it (by modifying the code). Unfortunately there is
>> no foolproof method that protects one in every possible case.
>>
>> IMO, the simplest and most secure solution is to encrypt your
>> filesystem. You only type a master password once when you boot your
>> system, instead to type a master password for every application you
>> run. Plus it protects all your files not just a config file of a
>> certain application.
>
> Filesystem encryption protects only in case of computer theft.
That's what I said. But that's also the most concerning issue,
considering that a personal computer is well, personal. The other
people who usually have access to it are trusted and if not that's why
you have different users. Are you telling me that you voluntarily give
your computers to people whom you do not trust and you fear they may
stole information from it, yet you still give them full access to your
user account that contains that information?
And BTW, there are solutions to to encrypt you own files as a user,
not just the whole filesystem. Anyway we digress.
--
Dan
More information about the Blink
mailing list