Discussion:
Show passwords when they are being entered
(too old to reply)
Buzz Murdoch
2009-07-11 00:26:01 UTC
Permalink
Raw Message
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Unruh
2009-07-11 00:56:37 UTC
Permalink
Raw Message
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
John Smith
2009-07-11 05:25:20 UTC
Permalink
Raw Message
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked in
the options tab? Anyone know for sure,
Unruh
2009-07-11 07:37:31 UTC
Permalink
Raw Message
Post by John Smith
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked in
the options tab? Anyone know for sure,
The question is not what drivecrypt does with the password, the question
is what the shell does with it. remember that you are using the
operating system to display and transmit the password to the program. By
displaying it there is a danger that the operating system will store the
password somewhere completely out of the control of Drivecrypt.

Why in the world would you want to display your password?
John Smith
2009-07-11 09:27:50 UTC
Permalink
Raw Message
Post by Unruh
Post by John Smith
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked in
the options tab? Anyone know for sure,
The question is not what drivecrypt does with the password, the question
is what the shell does with it. remember that you are using the
operating system to display and transmit the password to the program. By
displaying it there is a danger that the operating system will store the
password somewhere completely out of the control of Drivecrypt.
Why in the world would you want to display your password?
True, why would you. The only thing is that if you're using the red
screen feature that DC and DCPP offer you aren't using the windows
operating system, the communication is direct with the program, the
operating system is by passed completely, regards
John Smith
2009-07-11 09:30:37 UTC
Permalink
Raw Message
Post by John Smith
Post by Unruh
Post by John Smith
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked
in the options tab? Anyone know for sure,
The question is not what drivecrypt does with the password, the question
is what the shell does with it. remember that you are using the
operating system to display and transmit the password to the program. By
displaying it there is a danger that the operating system will store the
password somewhere completely out of the control of Drivecrypt.
Why in the world would you want to display your password?
True, why would you. The only thing is that if you're using the red
screen feature that DC and DCPP offer you aren't using the windows
operating system, the communication is direct with the program, the
operating system is by passed completely, regards
Just a small additional note, as far as I know only DC and DCPP have
this feature where you by pass the operating system, but having said
that, you're absolutely right, why would enter the pass in the clear anyway.
Sarah Dean
2009-07-11 12:09:26 UTC
Permalink
Raw Message
[snip]
Post by Unruh
Why in the world would you want to display your password?
To see what you've typed in.

This is a usability issue, and is actually useful for some users (i.e.
those who have no risk of the display being observed)
Sarah Dean
2009-07-11 12:08:51 UTC
Permalink
Raw Message
Post by John Smith
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked in
the options tab? Anyone know for sure,
I agree - I think Unruh is getting confused with MS Window's "recent
documents" functionality which gets a lot of negative comments made about
it, but which, incidently, can be turned off.

As for saving your password being stored in the plaintext in a number of
files (to a "history file for your terminal"?!), this sounds like (very
poor) FUD, or Unruh getting thinking of the "save passwords" function a
number of WWW browsers offer... (Which would only save it to a single
location)

It's more than likely that DriveCrypt are just making use of the standard
Windows APIs here; in which case this option does exactly what it says. As
long as you're not observed typing your password in - either by someone
watching, or malicious software which quietly takes screenshots as keys are
pressed - you should be safe enough from the visual element.
Buzz Murdoch
2009-07-12 05:10:02 UTC
Permalink
Raw Message
On Sat, 11 Jul 2009 12:08:51 +0000 (UTC), Sarah Dean
Post by Sarah Dean
Post by John Smith
Post by Unruh
Post by Buzz Murdoch
Drive Crypt has an option to show the password when it is entered. Is
there a security risk (other then having it observed over your
shoulder) to enable this option?
Yes, it saves the password in the clear in a number of files ( eg the
history file for your terminal).
I don't think thats correct if the clear password feature is checked in
the options tab? Anyone know for sure,
I agree - I think Unruh is getting confused with MS Window's "recent
documents" functionality which gets a lot of negative comments made about
it, but which, incidently, can be turned off.
As for saving your password being stored in the plaintext in a number of
files (to a "history file for your terminal"?!), this sounds like (very
poor) FUD, or Unruh getting thinking of the "save passwords" function a
number of WWW browsers offer... (Which would only save it to a single
location)
It's more than likely that DriveCrypt are just making use of the standard
Windows APIs here; in which case this option does exactly what it says. As
long as you're not observed typing your password in - either by someone
watching, or malicious software which quietly takes screenshots as keys are
pressed - you should be safe enough from the visual element.
Thanks for the reply Sarah. It's what I thought was the answer but
now I feel a bit safer about it. :)

Loading...