I can get and crack your password hashes from an email -CSO

I love this one. A CSO Online story a few days ago where you can just send someone an email with a certain type of URL in a link somewhere and if the person uses Windows, when they view the email it sends your system their username and password hash.


This is a new twist to the IE sends you password hack already described here and it’s something we should have figured out already. And it’w worse really. Every program on Windows that uses URLs like file dialogs or editors or the desktop have this bug/feature. I can trigger this with notepad.

So my recommendations: If you can’t avoid Windows use text view for emails, 2 factor authentication and long passwords. Long passwords because the longer the password the less likely it will be in rainbow tables. And always use a password longer than 15 characters because Windows passwords smaller than that can be decrypted.

I realize that telling everyone to switch away from Windows is not possible, to much invested in it everywhere and besides I wouldn’t have anything to do. Windows problems and fixes are what keeps the computer industry going.

Hopefully I won’t be so long til a new post next time. Sorry guys.

About echlinm

Computer Programmer/Systems Analyst/Hacker S31
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s