[Blink] Blink stores plain word passwords in its config file?

Dan Pascu dan at ag-projects.com
Wed Nov 24 15:58:54 CET 2010


On 24 Nov 2010, at 12:01, Juha Heinanen wrote:

> Dan Pascu writes:
>
>> It will not matter if the password is encrypted or not. All it takes
>> is a print in the blink code after blink has decoded the encrypted
>> password. The only way to prevent this is if the password is not
>> stored but blink asks for it every time, so you need the actual owner
>> to input it before it will be known. But even this will not guarantee
>> you security, since someone may stole it while blink is already
>> running or may not stole your system at all, but he will just modify
>> the software to log the typed password to a file.
>
> dan,
>
> looks like you didn't read my message carefully, because i tried to  
> tell
> the same points.  if password is not in config file, blink should ask
> for it each time blink starts. that would protect the password unless
> blink was running when the system was lost.

Of course. Maybe I didn't convey my message clearly enough. Doing this  
will help you in those cases but it is still powerless when someone  
else has access to your computer and logs the password as soon as you  
type it (by modifying the code). Unfortunately there is no foolproof  
method that protects one in every possible case.

IMO, the simplest and most secure solution is to encrypt your  
filesystem. You only type a master password once when you boot your  
system, instead to type a master password for every application you  
run. Plus it protects all your files not just a config file of a  
certain application.

--
Dan









More information about the Blink mailing list