The passwords in windows are stored as hashes. They are not stored as plaintext. In order to get the password, you would need to brute force the hash.
Cracking windows passwords is an old idea with a great set of tools behind it. We are just using that knowledge to show that you shouldn't store passwords in cookies, hashed or not. As far as I understand it, if you store something as a client variable, there is no way for hacker to get at it (unless of course he somehow gets into your database server, in which case all bets are off). But if you store it as a cookie, it's much more vulnerable to foul play. -----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 4:14 PM To: CF-Talk Subject: Re: pseudo-memory leak If you are an admin on the machine you could get the passwords even if they weren't in cookies! If someone ever puts in their password at all outside of ssl, you can sniff the password. If someone steals the SAM file, what does it matter where I store the password or how I hash it? what does that have to do with cookies vs client variables and the security impact of the two? On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Not, really. There are different ways of getting hashes. One is you > can be an admin on the machine, and you can get the passwords of all the users. > Another way is to sniff it going across the network. You can also > steal the SAM file and get the password that way. The point is, you > don't always need to have a login on the system (or physical access to > the machine) to get people's passwords off of it. > > -----Original Message----- > From: Robertson-Ravo, Neil (RX) > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 3:22 PM > To: CF-Talk > Subject: RE: pseudo-memory leak > > LOL, isnt that just like saying - I can get into any computer which > is locked......if you give me the password? > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225630 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
