Windows Explorer may expose FTP passwords in plaintext

[Brian Knittel]

If you use Windows Explorer to open an FTP site that requires a password,
Explorer may display the password in clear text in the future through the
autocomplete feature in Explorer's Address bar. I've tried this on one XP
SP3 machine and the password DOES appear, but on another XP SP3 machine only
the username appears. Steps to reproduce:

1. Open Windows Explorer and if necessary enable the display of the Address
bar

2. In the Address bar, enter the URI of an FTP server that does not permit
anonymous access and on which you have an account, e.g.
ftp://host.domain.com/myfolder

3. Windows Explorer will prompt you for a username and password, and then
will display the folder contents

4. Close Windows Explorer, then open Windows Explorer again.

5. In the Address bar, type ftp:

At this point autocomplete should kick in and display the URI with at least
your username and maybe the password displayed in clear text, e.g.

ftp://username:password@host.domain.com/somefolder

The version with the username and password don't appear in the Address bar's
MRU dropdown, but just in prompts popped up by autocomplete. The password
does not seem to appear in plaintext in the Registry.

As I said, have one machine that reliably shows the password, and another
that doesn't.

Does anyone else find that the password is displayed?

(No need to discuss the insecurity of FTP itself--that's not the issue
here. This is about the potential for exposing previously used passwords on
the desktop)

 

[S. Pidgorny]

So the risk it that the user's own password is displayed to the user?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Brian Knittel" <brian@quarterbyte.com> wrote in message
news:4880f85f$0$17195$742ec2ed@news.sonic.net...
> If you use Windows Explorer to open an FTP site that requires a password,
> Explorer may display the password in clear text in the future through the
> autocomplete feature in Explorer's Address bar. I've tried this on one XP
> SP3 machine and the password DOES appear, but on another XP SP3 machine
> only the username appears. Steps to reproduce:
>
> 1. Open Windows Explorer and if necessary enable the display of the
> Address bar
>
> 2. In the Address bar, enter the URI of an FTP server that does not permit
> anonymous access and on which you have an account, e.g.
> ftp://host.domain.com/myfolder
>
> 3. Windows Explorer will prompt you for a username and password, and then
> will display the folder contents
>
> 4. Close Windows Explorer, then open Windows Explorer again.
>
> 5. In the Address bar, type ftp:
>
> At this point autocomplete should kick in and display the URI with at
> least your username and maybe the password displayed in clear text, e.g.
>
> ftp://username:password@host.domain.com/somefolder
>
> The version with the username and password don't appear in the Address
> bar's MRU dropdown, but just in prompts popped up by autocomplete. The
> password does not seem to appear in plaintext in the Registry.
>
> As I said, have one machine that reliably shows the password, and another
> that doesn't.
>
> Does anyone else find that the password is displayed?
>
> (No need to discuss the insecurity of FTP itself--that's not the issue
> here. This is about the potential for exposing previously used passwords
> on the desktop)
>
>

 

[Stefan Kanthak]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:

> So the risk it that the user's own password is displayed to the user?

Apparently you missed the point -- COMPLETELY!

1. A previously entered password must NEVER be displayed to any user.

2. Think of a shared computer in a public place.

Stefan

 

[Shenan Stanley]

Brian Knittel wrote:
> If you use Windows Explorer to open an FTP site that requires a
> password, Explorer may display the password in clear text in the
> future through the autocomplete feature in Explorer's Address bar.
> I've tried this on one XP SP3 machine and the password DOES appear,
> but on another XP SP3 machine only the username appears. Steps to
> reproduce:
> 1. Open Windows Explorer and if necessary enable the display of the
> Address bar
>
> 2. In the Address bar, enter the URI of an FTP server that does not
> permit anonymous access and on which you have an account, e.g.
> ftp://host.domain.com/myfolder
>
> 3. Windows Explorer will prompt you for a username and password,
> and then will display the folder contents
>
> 4. Close Windows Explorer, then open Windows Explorer again.
>
> 5. In the Address bar, type ftp:
>
> At this point autocomplete should kick in and display the URI with
> at least your username and maybe the password displayed in clear
> text, e.g.
> ftp://username:password@host.domain.com/somefolder
>
> The version with the username and password don't appear in the
> Address bar's MRU dropdown, but just in prompts popped up by
> autocomplete. The password does not seem to appear in plaintext in
> the Registry.
> As I said, have one machine that reliably shows the password, and
> another that doesn't.
>
> Does anyone else find that the password is displayed?
>
> (No need to discuss the insecurity of FTP itself--that's not the
> issue here. This is about the potential for exposing previously
> used passwords on the desktop)

Actually - I would say that the last paragraph/disclaimer is the issue.

FTP is a basic transfer method - old (should be obsolete in my opinion - and
is in many places) and natively insecure. If you are using ftp to transfer
anything - I would consider that an unwise decision and would not expect
anything you use to make the natively insecure protocol any better for you
and thus - the best alternative IMHO - is to just find a better method of
file transfer. (Unless you are just grabbing files you feel okay with being
transferred in such an open method.)

As for the other responder - if you are foolhardy enough to go to a public
computer and log into a private FTP site using Internet Explorer and
download something - I am without words to express ... I mean - wow. I
know - not everyone may be aware how insecure FTP is - but - those people
probably aren't using FTP anyway. (I agree with point (1) of yours, BTW -
although that is more a function of the way the information gets passed to
the site than the browser - as well as the browser cache settings, etc. In
the case of old/obsolete FTP, that way is insecure and horrible all the way
down the line.)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Brian Knittel]

Stefan got the point: a computer should never display a previously entered
password in clear text, no matter what, and I have observed Windows doing
just that.

Has anyone else observed this behavior following the steps I outlined?

Please add this additional step:

When you are viewing the remote FTP directory using Windows Explorer,
drag a file from the FTP directory onto your desktop. Then, close Explorer,
reopen it, and type ftp:// into the Address window. (I just noticed that
the
passwords I see are all on URIs that have filenames)

Could you please test this, and if you have a positive result (that is, you
see the password), please post a response. It would help if you noted your
version of Windows and Service Pack level.

Or, if you have a negative result, that is, you drag a file to your desktop,
and the next time you open Explorer and type ftp:// into the Address bar you
DO NOT see the password, please also post a response, if others haven't
already done so for your particular version+SP level of Windows.

Please, in the interest of keeping on topic, let's just focus on this one
behavior, and save discussions of network protocol security, public
computers and the like for another day.

 

[Stefan Kanthak]

"Shenan Stanley" <newshelper@gmail.com> wrote:


> As for the other responder - if you are foolhardy enough to go to a public
> computer and log into a private FTP site using Internet Explorer and
> download something - I am without words to express ... I mean - wow.

*I* am no *such* fool, and I've noticed the "dislaimer" of Brian very well.

The point is NOT the FTP protocol, it's IE that discards one of the main
principles in handling credentials: NEVER EVER display a password in clear,
neither when input nor when prepopulating an input field with a stored one.

> I
> know - not everyone may be aware how insecure FTP is - but - those people
> probably aren't using FTP anyway.

The same people but might very well use POP3 or IMAP or SMTP (without SSL,
TLS, APOP etc.) on a public computer and send their credentials in cleartext.
Or they might use their laptop, connected to a public WLAN, and do the same.

I bet that *many* PC user's can't tell whether their email provider allows
SSL/TLS and whether their computer or laptop is configured to use encryption
on the wire to access their mailbox.

> (I agree with point (1) of yours, BTW -
> although that is more a function of the way the information gets passed to
> the site than the browser - as well as the browser cache settings, etc. In
> the case of old/obsolete FTP, that way is insecure and horrible all the way
> down the line.)

regards
Stefan

 

[Shenan Stanley]

Brian Knittel wrote:
> Stefan got the point: a computer should never display a previously
> entered password in clear text, no matter what, and I have observed
> Windows doing just that.
>
> Has anyone else observed this behavior following the steps I
> outlined?
> Please add this additional step:
>
> When you are viewing the remote FTP directory using Windows
> Explorer, drag a file from the FTP directory onto your desktop. Then,
> close
> Explorer, reopen it, and type ftp:// into the Address window. (I
> just noticed that the
> passwords I see are all on URIs that have filenames)
>
> Could you please test this, and if you have a positive result (that
> is, you see the password), please post a response. It would help if
> you noted your version of Windows and Service Pack level.
>
> Or, if you have a negative result, that is, you drag a file to your
> desktop, and the next time you open Explorer and type ftp:// into
> the Address bar you DO NOT see the password, please also post a
> response, if others haven't already done so for your particular
> version+SP level of Windows.
> Please, in the interest of keeping on topic, let's just focus on
> this one behavior, and save discussions of network protocol
> security, public computers and the like for another day.

I *know* it happens - because it's been doing that for years.
IE4, IE5, IE6 and I bet IE7.

It is not like this discussion is new. -)

Maybe where the password is displayed is (maybe) - but I am sure it has to
do with 'how the browser has to pass the credentials...' - so it may be a
direct result of the protocol rules of passing things in clear/plain text.

Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords
http://www.astonisher.com/archives/bugnet/alerts/bugalert_81199.html
(1999)

Internet Explorer discloses FTP access credentials
http://www.heise-online.co.uk/secur...discloses-FTP-access-credentials--/news/94349
(2007)

Internet Explorer and Your Web Site's Privacy
http://blog.washingtonpost.com/securityfix/2007/08/ftp_files_expose_web_site_cred.html
(2007)


How to Enter FTP Site Password in Internet Explorer
http://support.microsoft.com/kb/135975
(OLD - since it mentioned Windows 95/98 - but last updated in 2007)

"NOTE: The user name and password you enter in the Login As dialog box are
passed through as plain text and may be displayed in the Internet Explorer
title bar or status bar while you are connected to the site.

Note that this is not a secure method of logging on, as the password is
viewable in plain text. If you require additional security, use the FTP
client (Ftp.exe) that is included in your version of Windows 95 or Windows
98."

Does FireFox do it?
Opera?
Any other browsers?

Or do some browsers not even do FTP because of the weak security and how
they would have to pass the username/password?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Steve Riley [MSFT]]

Please understand the science here. If a protocol is insecure on the wire,
then there's zero benefit in trying to hide any aspects of that protocol
conversation on the individual computer itself. Besides, the displayed
password (retrieved from the URL history in this case) is displayed only to
the particular user who's logged on. If some other user logs onto the PC,
then that user can't see the first user's history (local admins excepted, of
course).

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
news:OPc4dNd6IHA.2220@TK2MSFTNGP06.phx.gbl...
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:
>
>> So the risk it that the user's own password is displayed to the user?
>
> Apparently you missed the point -- COMPLETELY!
>
> 1. A previously entered password must NEVER be displayed to any user.
>
> 2. Think of a shared computer in a public place.
>
> Stefan
>

 

[Alun Jones]

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:0308CDD5-F4A5-4D1D-BE24-FC16111208DD@microsoft.com...
> Please understand the science here. If a protocol is insecure on the wire,
> then there's zero benefit in trying to hide any aspects of that protocol
> conversation on the individual computer itself. Besides, the displayed
> password (retrieved from the URL history in this case) is displayed only
> to the particular user who's logged on. If some other user logs onto the
> PC, then that user can't see the first user's history (local admins
> excepted, of course).

Your first two sentences are a bit of a copout, Steve.

Plenty of people use FTP securely - say, for instance, over an encrypted
VPN, or over IPsec.

As for the remaining sentences, it's worth noting that in most other places
where you enter a password, the password is blanked out, even though it is
indeed your own password.

The old "my password? yeah, it's eight stars" joke reminds us that
passwords, where they can be recognised as such, should always be hidden
from view. Otherwise, shoulder-surfing gets much easier.

Or are you planning on spreading this message throughout Windows, and having
the logon screen echo the password back to the user as they type it?

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

[S. Pidgorny]

G'day:

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
news:OPc4dNd6IHA.2220@TK2MSFTNGP06.phx.gbl...
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:
>
>> So the risk it that the user's own password is displayed to the user?
>
> Apparently you missed the point -- COMPLETELY!

No I didn't.

> 1. A previously entered password must NEVER be displayed to any user.

I don't see a problem if it's the user's own password.

> 2. Think of a shared computer in a public place.

It's not secure by definition, therefore mustn't be used by acessing
supposedly protected, personal information, via ftp or toherwise.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Stefan Kanthak]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:

> G'day:
>
> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
> news:OPc4dNd6IHA.2220@TK2MSFTNGP06.phx.gbl...
>> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote:
>>
>>> So the risk it that the user's own password is displayed to the user?
>>
>> Apparently you missed the point -- COMPLETELY!
>
> No I didn't.

You did.-)

>> 1. A previously entered password must NEVER be displayed to any user.
>
> I don't see a problem if it's the user's own password.

So you won't see a problem if the login dialog/screen prints the users
password too?
Or any other dialog, for example in Outlook, Outlook Express, Windows
Mail, ..., where a "remembered" password can be used?
Get real!

>> 2. Think of a shared computer in a public place.
>
> It's not secure by definition, therefore mustn't be used by acessing
> supposedly protected, personal information, via ftp or toherwise.

The emphasis lies on THINK.
Please contruct another more appropriate example yourself, say: you
help your neighbor with his/her computer and login to one of yours
from said neighbors computer. Shall that password be displayed to
you neighbor?

Stefan

 

[Stefan Kanthak]

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote:

> Please understand the science here.

Which "science"?

> If a protocol is insecure on the wire,
> then there's zero benefit in trying to hide any aspects of that protocol
> conversation on the individual computer itself.

Why have MSFT programs like Internet Explorer, Outlook, Outlook Express
and Windows Mail then this useless feature with zero benefit to hide
passwords for "Basic HTTP Auth", POP3, IMAP or SMTP (with plain auth)?


Stefan

 

[Steve Riley [MSFT]]

I look at it this way... in the particular case of unencrypted FTP URLs,
since the "useridassword" portion of the URL will be logged in cleartext
in plenty of places besides the user's own profile, I don't see that there's
much additional risk here.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Alun Jones" <alun@texis.invalid> wrote in message
news:49442919-8ED4-4B33-956C-D163B9CB0A4C@microsoft.com...
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:0308CDD5-F4A5-4D1D-BE24-FC16111208DD@microsoft.com...
>> Please understand the science here. If a protocol is insecure on the
>> wire, then there's zero benefit in trying to hide any aspects of that
>> protocol conversation on the individual computer itself. Besides, the
>> displayed password (retrieved from the URL history in this case) is
>> displayed only to the particular user who's logged on. If some other user
>> logs onto the PC, then that user can't see the first user's history
>> (local admins excepted, of course).
>
> Your first two sentences are a bit of a copout, Steve.
>
> Plenty of people use FTP securely - say, for instance, over an encrypted
> VPN, or over IPsec.
>
> As for the remaining sentences, it's worth noting that in most other
> places where you enter a password, the password is blanked out, even
> though it is indeed your own password.
>
> The old "my password? yeah, it's eight stars" joke reminds us that
> passwords, where they can be recognised as such, should always be hidden
> from view. Otherwise, shoulder-surfing gets much easier.
>
> Or are you planning on spreading this message throughout Windows, and
> having the logon screen echo the password back to the user as they type
> it?
>
> Alun.
> ~~~~
> --
> Texas Imperial Software | Web: http://www.wftpd.com/
> 23921 57th Ave SE | Blog: http://msmvps.com/alunj/
> Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
> Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
>
>

 

[S. Pidgorny]

G'day:

"Stefan Kanthak"
<dont.delete-this.dont.remove-this.nospam@expires-2008-07-31.arcornews.de>
wrote in message
news:4883232f$0$6607$9b4e6d93@newsspool2.arcor-online.net...

> So you won't see a problem if the login dialog/screen prints the users
> password too?
> Or any other dialog, for example in Outlook, Outlook Express, Windows
> Mail, ..., where a "remembered" password can be used?

Not really. I find hiding my passwords from me very inconvenient at times.
Especially in case when it gets stored and transmitted to the destination in
clear - then it doesn't make sense at all.

>>> 2. Think of a shared computer in a public place.
>>
>> It's not secure by definition, therefore mustn't be used by acessing
>> supposedly protected, personal information, via ftp or toherwise.
>
> The emphasis lies on THINK.
> Please contruct another more appropriate example yourself, say: you
> help your neighbor with his/her computer and login to one of yours
> from said neighbors computer. Shall that password be displayed to
> you neighbor?

I avoid situations like that. Not by not helping those in need.

Kindly don't assume that your way of thinking is the only right one.
Printing in all capitals doesn't really prove anything.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

 

[Alun Jones]

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:54DDFAE8-FFB4-4602-A4E1-ED414741F121@microsoft.com...
> I look at it this way... in the particular case of unencrypted FTP URLs,
> since the "useridassword" portion of the URL will be logged in cleartext
> in plenty of places besides the user's own profile, I don't see that
> there's much additional risk here.

I look at it this way... in the particular case of unencrypted FTP URLs,
browsers - Internet Explorer included - have been woefully remiss in
displaying and storing something that they know to be a password.

Perhaps it'd be a good idea to secure all of those places before
implementing FTPS.

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

 

[Brian Knittel]

Thanks, Shenan for the links. I'd done some googling on this before I posted
the original question and didn't find these.

So, it's a known, long-standing issue. And it's mind boggling that the
response is "besides, no body can see it." (Except maybe someone who walks
up and looks over your shoulder at your monitor, but hey).

Its interesting to note that Internet Explorer does not display the
password. Only Windows Explorer.

Anway, thanks. I'll see if I can find someone up at Redmond who cares about
this sort of stuff.

> It is not like this discussion is new. -)
>
> Maybe where the password is displayed is (maybe) - but I am sure it has to
> do with 'how the browser has to pass the credentials...' - so it may be a
> direct result of the protocol rules of passing things in clear/plain text.
>
> Internet Explorer 5, Netscape 4.61 Reveal FTP User Names and Passwords
> http://www.astonisher.com/archives/bugnet/alerts/bugalert_81199.html
> (1999)
>
> Internet Explorer discloses FTP access credentials
> http://www.heise-online.co.uk/secur...discloses-FTP-access-credentials--/news/94349
> (2007)
>
> Internet Explorer and Your Web Site's Privacy
> http://blog.washingtonpost.com/securityfix/2007/08/ftp_files_expose_web_site_cred.html
> (2007)
>
>
> How to Enter FTP Site Password in Internet Explorer
> http://support.microsoft.com/kb/135975
> (OLD - since it mentioned Windows 95/98 - but last updated in 2007)
>
> "NOTE: The user name and password you enter in the Login As dialog box are
> passed through as plain text and may be displayed in the Internet Explorer
> title bar or status bar while you are connected to the site.
>
> Note that this is not a secure method of logging on, as the password is
> viewable in plain text. If you require additional security, use the FTP
> client (Ftp.exe) that is included in your version of Windows 95 or Windows
> 98."
>
> Does FireFox do it?
> Opera?
> Any other browsers?
>
> Or do some browsers not even do FTP because of the weak security and how
> they would have to pass the username/password?
>
> --
> Shenan Stanley
> MS-MVP

 

[Anteaus]

True, and it's a point that I've often emphasised is that Windows tends to be
faddist about theoretical considerations like repeatedly changing passwords,
and passwords of huge and totally unmemorable complexity, yet leaves a
blooper or two like this which makes the rest truly pointless!

The other point is that to say 'the user' is the only one who sees the
password assumes 'userization' of the computer. This is not always feasible.
In fact, this kind of arrangement is generally only practical with an AD
domain and roaming profiles. In smaller offices the tendency is to work with
a single fixed account regardless of actual user, since any other arrangement
causes too many problems with loss of program-settings.

Though, Windows is not the only OS to suffer this. In Linux' bash shell, try
typing 'su' and having this fail to be recognised, perhaps because of
existing garbage on the commandline. Then type the root password. It gets
stored in the bash history instead of being treated as a password. Once in
there it's suprisingly difficult to remove, too, unless you know some obscure
function-key strokes. Unlike in Windows, closing the commandprompt does no
good either, as the history persists between sessions. This one must be
decades old, yet it's never been addressed. It's an oh-so-easy way for an
engineer to unintentionally give a user the root logon.

"Brian Knittel" wrote:

> Stefan got the point: a computer should never display a previously entered
> password in clear text, no matter what, and I have observed Windows doing
> just that.

 

[S. Pidgorny]

And here's the difference: in Windows, I can have maximum-length, totally
random password that I don't know. That is, use smart card for
administrative functions. AD recovery password that is stored in the vault
is note really required all that often.

And I can set local administrator password to something random and don't
store it anywhere.

I have yet to see a UNIX system that allows smart card logon for equivalent
of root. Note that I'm not claiming that capability doesn't exist - only
outline the limit of my knowledge. I'd love to be educated if the
alternative exists.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Anteaus" <Anteaus@discussions.microsoft.com> wrote in message
news:E7304B3B-C41B-4A5D-B6FA-DECD11E6FCCD@microsoft.com...
> True, and it's a point that I've often emphasised is that Windows tends to
> be
> faddist about theoretical considerations like repeatedly changing
> passwords,
> and passwords of huge and totally unmemorable complexity, yet leaves a
> blooper or two like this which makes the rest truly pointless!
>
> The other point is that to say 'the user' is the only one who sees the
> password assumes 'userization' of the computer. This is not always
> feasible.
> In fact, this kind of arrangement is generally only practical with an AD
> domain and roaming profiles. In smaller offices the tendency is to work
> with
> a single fixed account regardless of actual user, since any other
> arrangement
> causes too many problems with loss of program-settings.
>
> Though, Windows is not the only OS to suffer this. In Linux' bash shell,
> try
> typing 'su' and having this fail to be recognised, perhaps because of
> existing garbage on the commandline. Then type the root password. It gets
> stored in the bash history instead of being treated as a password. Once in
> there it's suprisingly difficult to remove, too, unless you know some
> obscure
> function-key strokes. Unlike in Windows, closing the commandprompt does no
> good either, as the history persists between sessions. This one must be
> decades old, yet it's never been addressed. It's an oh-so-easy way for an
> engineer to unintentionally give a user the root logon.
>
> "Brian Knittel" wrote:
>
>> Stefan got the point: a computer should never display a previously
>> entered
>> password in clear text, no matter what, and I have observed Windows doing
>> just that.
>

 

[Brian Knittel]

OK, to summarize this: the issue at hand is what happens when Windows
Explorer is given an FTP URL, prompts for a password, and unexpectedly
retains and displays it in plain text in the Address history dropdown. There
are four points to make:

1. The password prompt dialog does not display the password. It displays
bullets. This implies a contract with the user not to expose the password.

2. The password is stored and is recallable from the history even when the
user does NOT check the box "Save this password."

3. Internet Explorer does not display FTP passwords for which it has
prompted. Only Windows Explorer does this.

4. There is no other instance anywhere in Windows (or any other operating
system produced in the last 30 years), either in OS components or
application tools, where a password is stored in and is displayable in plain
text, even if the user wanted it to be. There are reasons for that, and
Windows Explorer alone disregards these reasons.

Any one of these points should be sufficient to make the case that this is
improper behavior and has to be fixed. The four taken together are beyond
compelling. Arguments that "FTP isn't secure anyway, so it's OK for Windows
to reveal the password," or "Only the logged in user can see the password
anyway" are completely beside the point. (And wouldn't have been so
disturbing but for the credentials of their sources).

So -- the people responsible for this at Microsoft have been asleep at the
switch, and nobody has called them to task? Surely this can't be beyond
Microsoft's ability to fix? And surely there's someone up there with enough
of a grasp of the importance of protecting passwords (and protecting user
confidence) to take it on?

 

[Shenan Stanley]

Brian Knittel wrote:
> OK, to summarize this: the issue at hand is what happens when
> Windows Explorer is given an FTP URL, prompts for a password, and
> unexpectedly retains and displays it in plain text in the Address
> history dropdown. There are four points to make:
>
> 1. The password prompt dialog does not display the password. It
> displays bullets. This implies a contract with the user not to
> expose the password.
> 2. The password is stored and is recallable from the history even
> when the user does NOT check the box "Save this password."
>
> 3. Internet Explorer does not display FTP passwords for which it has
> prompted. Only Windows Explorer does this.
>
> 4. There is no other instance anywhere in Windows (or any other
> operating system produced in the last 30 years), either in OS
> components or application tools, where a password is stored in and
> is displayable in plain text, even if the user wanted it to be.
> There are reasons for that, and Windows Explorer alone disregards
> these reasons.
> Any one of these points should be sufficient to make the case that
> this is improper behavior and has to be fixed. The four taken
> together are beyond compelling. Arguments that "FTP isn't secure
> anyway, so it's OK for Windows to reveal the password," or "Only
> the logged in user can see the password anyway" are completely
> beside the point. (And wouldn't have been so disturbing but for the
> credentials of their sources).
> So -- the people responsible for this at Microsoft have been asleep
> at the switch, and nobody has called them to task? Surely this
> can't be beyond Microsoft's ability to fix? And surely there's
> someone up there with enough of a grasp of the importance of
> protecting passwords (and protecting user confidence) to take it on?

In reference to your last paragraph...

Actually - I think it is more likely the, "many better file transfer methods
exist and better ways to use even this particular file transfer method exist
other than using a browser/windows explorer" that you want to dismiss as
"beside the point".

Anyway - this is a public newsgroup - for discussion purposes only. It will
be unlikely to prompt anyone to do anything. -)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html