From: Rich Graves <llurch@networking.stanford.edu>
Date: Thu, 7 Dec 95 19:31:26 PST
To: Joel McNamara <joelm@eskimo.com>
Subject: Re: Micro$oft and Java
In-Reply-To: <199512080205.SAA02898@mail.eskimo.com>
Message-ID: <Pine.ULT.3.91.951207190400.15814G-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


On Thu, 7 Dec 1995, Joel McNamara wrote:

> I was at the Microsoft presentation.  Crypto-relevant info:
> 
> A patch will be published in the next few days to address the weak .PWL
> encryption.  I got a rather lame excuse about how the encryption was first
> implemented in 1991, and how it was sufficient then.  They will supposedly
> be changing the seed.

I do believe the word "lame" is in order, yes.

Microsoft has issued a public statement on the "issue" at 
http://www.microsoft.com/windows/pr/password.htm

As usual, the inaccuracies begin with the first sentence. Password caching
is not optional. It is on by default. Instructions for turning it off are
not even included with the floppy disk or OEM versions of Win95, and
they're not easy to find in the Resource Kit help file on the install CD,
which is neither installed nor referenced by default. 

Some rather astute people spent days looking for a way to disable password 
caching, and they couldn't find it. Their messages are on my list archive.

There is currently *no way* for the administrator of a public Windows 95 
lab to have any confidence that password caching has been turned off. All 
it takes is one malicious user -- or one innocent user who wants to 
disable system policies for other reasons -- and all passwords used from 
that machine are compromised.

We started whining about this on November 1; see 
gopher://quixote.stanford.edu/1m/win95netbugs.

-rich