[Blink] Blink stores plain word passwords in its config file?
Tomasz Muszynski
thom at union.waw.pl
Wed Nov 24 16:18:14 CET 2010
Wiadomość napisana przez Dan Pascu w dniu 2010-11-24, o godz. 15:58:
> On 24 Nov 2010, at 12:01, Juha Heinanen wrote:
>> Dan Pascu writes:
>>> It will not matter if the password is encrypted or not. All it takes
>>> is a print in the blink code after blink has decoded the encrypted
>>> password. The only way to prevent this is if the password is not
>>> stored but blink asks for it every time, so you need the actual owner
>>> to input it before it will be known. But even this will not guarantee
>>> you security, since someone may stole it while blink is already
>>> running or may not stole your system at all, but he will just modify
>>> the software to log the typed password to a file.
>>
>> dan,
>>
>> looks like you didn't read my message carefully, because i tried to tell
>> the same points. if password is not in config file, blink should ask
>> for it each time blink starts. that would protect the password unless
>> blink was running when the system was lost.
>
> Of course. Maybe I didn't convey my message clearly enough. Doing this will help you in those cases but it is still powerless when someone else has access to your computer and logs the password as soon as you type it (by modifying the code). Unfortunately there is no foolproof method that protects one in every possible case.
>
> IMO, the simplest and most secure solution is to encrypt your filesystem. You only type a master password once when you boot your system, instead to type a master password for every application you run. Plus it protects all your files not just a config file of a certain application.
Filesystem encryption protects only in case of computer theft.
tm
More information about the Blink
mailing list