Hello MozCrypt!
We at MozSec (Mozilla Security) have been having a wonderful little
discussion with someone who goes by the handle of TGOS.
He was wondering about the way Moz encrypts username/passwords that have
been saved. He was under the impression that Moz saved this to a file
and just encrypted that file using the Master Password as the key.
After a lot of flying emails, and some thinly veiled wise cracks, it
finally whittled down to this:
-I wanna build a program that, without any access to Moz code or libs,
can read/write/edit stored username/passwords, so how does Moz store the
data?
-Moz doesn't really store the data. The file you are looking at is an
ASN.1 DER encoded file just storing pointers to keys.
-That sucks, where are the actual username/passwords stored.
-Somewhere else.
-What! This is just security through obscurity and that never works.
This Sucks (again).
Sorry, couldn't help but vent.
This morning I sent an email to the list giving a better overall rundown
of the situation, and how Moz does this. The short short version is:
1. There is a token, be it software or hardware (such as USB key or
other removable device).
2. When a Master Password is created, it is associated to/into the token.
3. When a username/password is entered, it is saved in the token, a
key, algorithm, and pointer information, is stored by Moz in a ASN.1 DER
encoded file, which just says, where is it on the token, and how to get it.
4. When it is time to get the username password (to use at a site or
delete), Moz calls the token with the algorithm and pointer, and uses
the key to verify the information.
The problem comes down to this, someone wanted to know how Moz stored
username/password combos so that someone could access their (hopefully)
username and passwords stored so they could find ones they forgot, edit
ones, remove specific ones, etc. I understand the desire to do this,
because this would allow people to find username/passwords they forgot,
remove old ones, that kind of stuff. The way it was being described
though (using JAVA and HTML) sounded a little more into the cracker
toolkit rather than management.
I do wonder, has anyone else thought about a system that would allow
people to review their username/passwords. Maybe even have a text file
associated so they could store non-secret info in, such as a comment of
which site that is or how to get there.
Just wanted to get the ball rolling on this list.
Chris
- Re: Password Management and access Chris LeBlanc
- Re: Password Management and access Nelson B. Bolyard
