Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

Submission + - AIM6 gives passwords to crackers on silver platter

imunfair writes: "I've been playing around with AIM6/Triton, and managed to replicate their login sequence — it's extremely insecure and I would suggest avoiding it at all costs. Also of note, the AIM6 passwords are stored encoded in the registry under:

HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords

Yes, that's right, I said the password is encoded/encrypted there is no hashing involved so it is possible to extract plaintext passwords from the registry! I'm still working on figuring out how it is encoded/encrypted, but I should say it is definitely a block encryption, working on 8 byte blocks. Possibly DES. The whole thing is prefaced with 8 bytes which are not part of the password, and the whole shebang is then base64 encoded and placed in your registry for anyone to grab and decrypt."

Slashdot Top Deals

Help fight continental drift.

Working...