On Thu, 7 Dec 1995, Joel McNamara wrote:
I was at the Microsoft presentation. Crypto-relevant info:
A patch will be published in the next few days to address the weak .PWL encryption. I got a rather lame excuse about how the encryption was first implemented in 1991, and how it was sufficient then. They will supposedly be changing the seed.
I do believe the word "lame" is in order, yes. Microsoft has issued a public statement on the "issue" at http://www.microsoft.com/windows/pr/password.htm As usual, the inaccuracies begin with the first sentence. Password caching is not optional. It is on by default. Instructions for turning it off are not even included with the floppy disk or OEM versions of Win95, and they're not easy to find in the Resource Kit help file on the install CD, which is neither installed nor referenced by default. Some rather astute people spent days looking for a way to disable password caching, and they couldn't find it. Their messages are on my list archive. There is currently *no way* for the administrator of a public Windows 95 lab to have any confidence that password caching has been turned off. All it takes is one malicious user -- or one innocent user who wants to disable system policies for other reasons -- and all passwords used from that machine are compromised. We started whining about this on November 1; see gopher://quixote.stanford.edu/1m/win95netbugs. -rich