[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 3911



File: 1485691922144.png (258.76 KB, 300x150, TfSsiF9.gif)

No.3911

Recently i noticed that someone had tried to login to my steam account from somewhere, prompting several steam verification code sms to my phone. Apparently having auto login is not secure since the passwords cant be saved securely.

After this i have become curious in auto login. How do clients save their passwords for auto login? Plaintext files hidden somewhere?

  No.3912

File: 1485694722262.png (101.46 KB, 200x120, ichi-the-killer.jpg)

>>3911
I'm definitely not an expert on this but I think once you enter it once the program generates a hash from the password and keeps it hidden. Everytime you change the password you'd need to regen a new hash and cracking the password locally is just finding the hash and bruteforcing it.

  No.3942

Depends on the client. The right way to do it is something like this.

Log in normally

Have the server generate a "token" of some sort, store that token in a list of tokens that correspond to that user.

Next time the user logs in, instead of presenting a password present that token (on web sites that token is stored in a cookie).

Have the server stop storing those tokens under certain conditions, such as no log-ins after a certain point.

---

For some reason most clients try to obfuscate what they're doing, even when that's what they're doing. They store the length of the password, and show some dots indicating how long it is in the password field.

Others, like ssh, make this explicit. You can't tell it to remember your password, but you can generate an SSH key, which acts very similarly to our token example.

Of course, if you're getting your browser to remember passwords for you, it is just storing the plaintext somewhere. Not necessarily in a plain text file, often in some kind of data structure, like an sqlite file or some horrible XML thing.

Tools like the pupy RAT even have modules to pull all those passwords out of those files.

In firefox at least, if you set a "master password" it no longer stores the files as plaintext on disc, it encrypts them using your master password as a key, and only unencrypts them as needed.