VanDyke Software Forums

Go Back   VanDyke Software Forums > Secure Shell
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Closed Thread
 
Thread Tools Display Modes
  #1  
Old 08-26-2009, 01:19 AM
missile77 missile77 is offline
Registered User
 
Join Date: Aug 2009
Posts: 1
Exclamation Recover Password from .ini file

Hi,
I have some .ini files and I have to recover a password from one of this.
I have to enter in a sun machine from root console and I don't remenber the password.
Do you known a method for decrypt password from configuration file?

thanks
missile
  #2  
Old 08-26-2009, 07:34 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 1,808
Hello missile77,

We do not offer a mechanism to "decrypt" stored passwords, as this would be a security risk. You should contact the administrator of the remote device to have your password reset.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
  #3  
Old 09-02-2009, 02:20 PM
Olaf van der Spek Olaf van der Spek is offline
Registered User
 
Join Date: Jul 2004
Posts: 168
Isn't that security through obscurity?
  #4  
Old 09-02-2009, 05:17 PM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 399
Quote:
Originally Posted by Olaf van der Sp
Isn't that security through obscurity?
The SSH1/SSH2 password stored in a SecureCRT session configuration file is not merely obscured, it's encrypted. Security through obscurity would be more like saving the unencrypted form of the password in a hexadecimal format, or perhaps even under an option named anything but "Password" within the .ini file.

Regardless of how you want to define "security through obscurity", one of the main issues, Olaf, is liability.

The complexity associated with an individual needing to adequately prove they are the rightful owner of an .ini file containing a saved password makes it impossible for us to verify .ini file ownership. How do we know you are the rightful owner of the .ini file containing the encrypted, forgotten password vs. a hacker/thief who happened to illegally acquired someone else's .ini files?

Therefore, if we provided an easy way to recover an encrypted password, we'd be putting ourselves in a position of gravely undesired liability.

In most security-conscious situations, passwords can be changed easily, but it should be very difficult to recover a password. For example, if a user forgets their Windows/Unix login password, they petition their system administrator to change their password so they can gain access to the system. Note that the user doesn't contact Microsoft or their Unix vendor to recover their password; they contact their administrator who is authorized to temporarily restore the user's access to the system.

With respect to the issue of "security" regarding saved passwords, the "best practice" is to never save passwords in the first place. However, since a good number of customers demand the ability to save passwords, SecureCRT needs to put forth its best effort to ensure that it's very hard to get at the password simply by acquiring the .ini file.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
support@vandyke.com
http://www.vandyke.com/support
  #5  
Old 09-06-2009, 04:23 AM
Olaf van der Spek Olaf van der Spek is offline
Registered User
 
Join Date: Jul 2004
Posts: 168
Quote:
Originally Posted by jdev
The SSH1/SSH2 password stored in a SecureCRT session configuration file is not merely obscured, it's encrypted. Security through obscurity would be more like saving the unencrypted form of the password in a hexadecimal format, or perhaps even under an option named anything but "Password" within the .ini file.
The "through obscurity" bit comes from not telling where the decryption key is stored.
Quote:
Regardless of how you want to define "security through obscurity", one of the main issues, Olaf, is liability.

The complexity associated with an individual needing to adequately prove they are the rightful owner of an .ini file containing a saved password makes it impossible for us to verify .ini file ownership. How do we know you are the rightful owner of the .ini file containing the encrypted, forgotten password vs. a hacker/thief who happened to illegally acquired someone else's .ini files?
You don't. But that doesn't seem relevant. It's like a virus/bot. If your PC is infected, it's no longer your PC. The same applies to sessions containing stored passwords.
Quote:
Therefore, if we provided an easy way to recover an encrypted password, we'd be putting ourselves in a position of gravely undesired liability.

In most security-conscious situations, passwords can be changed easily, but it should be very difficult to recover a password. For example, if a user forgets their Windows/Unix login password, they petition their system administrator to change their password so they can gain access to the system. Note that the user doesn't contact Microsoft or their Unix vendor to recover their password; they contact their administrator who is authorized to temporarily restore the user's access to the system.
True, but that's because one-way hashing has been used. That's not the case here.
  #6  
Old 09-08-2009, 11:27 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 399
Olaf,

What problem are you trying to solve?

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
support@vandyke.com
http://www.vandyke.com/support
  #7  
Old 09-08-2009, 01:04 PM
Olaf van der Spek Olaf van der Spek is offline
Registered User
 
Join Date: Jul 2004
Posts: 168
Quote:
Originally Posted by jdev
Olaf,

What problem are you trying to solve?

--Jake
Hi Jake,

Nothing, just having some discussion.
  #8  
Old 11-07-2011, 02:16 PM
rlarian rlarian is offline
Registered User
 
Join Date: Nov 2011
Posts: 1
Recover password

all passwords are very complex and are stored in password vault, except one. We can copy/paste the encrypted line from the .ini to other .ini files and this works. however, for some unknown reason, some of the folks use putty - getting this to work in putty requires us to get the password (normally stored in the vault).


Please don't require that I do something like THIS
  #9  
Old 11-07-2011, 03:10 PM
miked's Avatar
miked miked is offline
Registered User
 
Join Date: Feb 2004
Posts: 2,040
This looks like the same question that was originally asked, and answered. We cannot provide a way to decrypt a password in a .ini file when there is no way to prove that you are the owner of the .ini file.
Quote:
The complexity associated with an individual needing to adequately prove they are the rightful owner of an .ini file containing a saved password makes it impossible for us to verify .ini file ownership. How do we know you are the rightful owner of the .ini file containing the encrypted, forgotten password vs. a hacker/thief who happened to illegally acquired someone else's .ini files?

Therefore, if we provided an easy way to recover an encrypted password, we'd be putting ourselves in a position of gravely undesired liability.
__________________
Mike
VanDyke Software
Technical Support
[http://www.vandyke.com/support]
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 08:21 PM.


copyright 1995-2014 VanDyke Software, Inc.