Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Re: PalmOS password recovery
From: Peter W (peterwUSA.NET)
Date: Thu Sep 28 2000 - 17:01:46 CDT
- Next message: Kris Kennaway: "cvs commit: ports/mail/pine4 Makefile (fwd)"
- Previous message: Mudge: "Re: PalmOS password recovery"
- In reply to: Nate Amsden: "PalmOS password recovery"
- Reply: Peter W: "Re: PalmOS password recovery"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Sep 28, 2000 at 08:08:37AM -0700, Nate Amsden wrote:
> I just read the advisory from stake and was shocked. I wondered why
> they considered this worthy of a "advisory" there has been a well known
> program called "No Security" that with a click of your stylus you can
> wipe the password
> in addition you can use a 3rd party program to synch the pilot, say
> Jpilot(which i use on linux) and it retrieves all "private" records
> and does not bother to protect them, also it unmarks the private flag.
But stake's hack retrieves the password in cleartext, which is worse,
especially given users' tendency to reuse passwords. If the password
feature were implemented through something like a salted MD5 hash, then
they could provide the same weaknesses you mention without making the
password retrievable (brute-force attackable, yes).
Obviously they *should* store a hash for unlocking the device. Private
records are tricky; some details are publicly available, e.g. datebook
event times. Perhaps some of the record (description, notes) could be
encrypted with an unsalted hash of the password, so the plaintext password
doesn't sit around in memory, and a brute force attack of the datebook
doesn't yield the cleartext password. Downside is that if you ever changed
your password, the system would have to decrypt and reencrypt every
private item, which could take some time. Plus I expect this would mean a
new API to be implemented by every app that offers "private" data. But
nobody said security was always cheap.
Using the serial number in the password scheme is probably a bad idea. One
of the selling points of these devices is that if one breaks, you can buy
a new one, push a button, and restore everything. If you can secure the
data without tying data to a fragile device, you should.
-- This fall, taxpaying American citizens will elect voting representatives to the US Congress. Except for those in Washington, DC. http://www.dcvote.org/