Quantcast
Channel: 2BrightSparks
Viewing all articles
Browse latest Browse all 9303

Re: SyncBack insecurely stores passwords.

$
0
0
Hi, using the Microsoft DPAPI has other issues in that you (or any software you run) can decrypt it without even needing the encryption key (*) (as long as you're on the same computer and logged in as the same user) and you cannot decrypt later if your password is changed by the admin, you re-install Windows, change user (e.g. if exporting and importing), etc.

We've changed the encryption for the next release, but the same issue will exist in that you cannot stop decryption unless the user chooses the key themselves and secures that key. Having the user choose the key has issues in that it must be available to decrypt, either via prompting or giving access to the key file.

(*) You can add an additional encryption key, but that would be a key in the EXE, so it doesn't make it any more secure.

Viewing all articles
Browse latest Browse all 9303

Trending Articles