[Let me say up front that beyond a lot of perl hacking, I've never had a need to code my way out of a paper bag, so this is not something I'd be able to implement myself, at least not without a month of study.] OK, so we know how to crack .PWL files, and how any program (virus, trojan horse, Windows Help file calling a DLL beginning with ASCII 229 so that virus scanners can't see it) can obtain usernames, passwords, etc. even if persistent "password caching" to disk has been turned off. How might Microsoft (or someone else) address this without forcing users to quit all applications and "log out" of Windows to purge the temporary "password cache" in RAM? I.e., I don't care much about and know I can't count on the security of my PC as such, and it's really convenient to leave a zillion Popular Web Browser windows open when I walk out of my office, but I don't like the idea that anyone might walk up to my PC and log on as me to the otherwise (more or less) secure servers I use. In thinking about how MacOS PowerTalk deals with this by allowing the user to "lock" and "unlock" their keychain at will, it occurred to me that there's no particular reason we should just have to "look, don't touch" the password cache in RAM. After all, it's our insecure single-user operating system, and our passwords. Why not provide a way to grab the passwords cached in RAM, encrypt them securely, put them away somewhere, and scramble the original copy of the passwords in RAM so that Microsoft's code can't get to them? We don't need no steenking user interface. Actually, the first cut at this wouldn't really need to encrypt them securely, but just deny them to the OS, and restore them to the OS, on demand. Just a quick demo of how Microsoft can and should resolve this issue would have people beating down our door, and we'd unambiguously be the good guys. Because we'd be providing the solution, there would be no further moral qualms about posting full details and full source code. -rich owner-win95netbugs@lists.stanford.edu ftp://ftp.stanford.edu/pub/mailing-lists/win95netbugs/ gopher://quixote.stanford.edu/1m/win95netbugs http://www-leland.stanford.edu/~llurch/win95netbugs/faq.html