On 8/24/05, Allen Parker <infowolfe@xxxxxxxxx> wrote: > On 23 Aug 2005 13:21:23 -0000, kozan@xxxxxxxxxxxxxxxxxx > <kozan@xxxxxxxxxxxxxxxxxx> wrote: [...] > > ZipTorrent stores proxy server information and password in > > X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt > > in plain text. A local user can read passwords and others. [...] > ... I haven't seen many programs making use of > proxies where the username/password pairs were obfuscated in any > way... Indeed - unless the proxy and all clients have some agreed protocol for exchanging some kind of encrypted / hashed password, then the password *must* be stored in plain text of some sort (even if it is obfuscated) on the client host, so that it can be made available later, in plain text, for the automatic password exchange. There is no way out of this, and no way to completely secure the stored password Surely this is just another rehash of the same old debate that appears here every now and then - the conclusion will always be that stored passwords are inherently vulnerable. They can be obfuscated as much as you like, but it only needs one successful piece of R&D to render the whole obfuscation scheme useless for everybody. See http://marc.theaimsgroup.com/?t=92420089800002&r=1&w=2 http://marc.theaimsgroup.com/?t=94570694700003&r=1&w=2 for a couple of useful Bugtraq debates on this topic. [both in 1999 ... was that _really_ the last time this came up ?] Nick Boyce -- Never fdisk after midnight.
