The Seattle Times has a rather large article this morning (12/9/95) about Microsoft's .PWL encryption weakness. Selected quotes are provided for your entertainment and enlightenment (give yourself one point for each piece of inaccurate/incomplete information or spin you can find). Security flaw in Windows 95 to be fixed Microsoft got word of the flaw from an Internet e-mail exchange last week that included a short computer program for "hacking," or decrypting, passwords contained in .pwl (password list) files. The company immediately began working on a fix. "We wanted to be proactive on this before it became a problem," said Rob Bennett, Windows 95 product manager. The company has received no customer complaints related to the issue and knows of no security breaches, Bennett said. "There are people out there who will stay up all night cranking out code to break any encryption," Bennett said. (This was followed by some good quotes from Frank Stevenson, who wrote the cracking code, on the seriousness of the weakness. I was a little surprised to see the reporter listed Frank's e-mail address in the article. Frank, if you're reading this, did you give Paul Andrews permission? To me, this seems like listing someone's telephone number and address in the body of an article.) Microsoft said it plans to strengthen the encryption, Bennett said. Password data will be stored randomly, making it harder to find on the computer, he added. Microsoft recommends that information-systems directors disable password storage until the fix is released. One system administrator said the problem would have a greater effect on less-secure environments, such as universities and other institutions, than on corporations.