in message
The Auto-login "tweak" is not secure! It stores the password as
plain
Ascii text.
--- REPLY SEPARATOR ---
Only required because above poster used QUOTED-PRINTABLE format.
When posting to newsgroups, do NOT use quoted-printable format.
* Not all NNTP clients handle quoted-printable format.
- Some users still use console-mode (non-GUI) NNTP clients.
- The long lines may not wrap properly.
- Scrolling is needed if the long line does not get wrapped.
- The long line may get truncated at the window's width.
- Quoted-printable format uses special character sequences for
logical formatting. View the raw source of your post. Text-
only clients may show that encoding when viewing your post.
* Quoting levels get mangled, especially for multiple replies.
* In replies, there is no clear delineation of content.
- Cannot tell what content is from the original poster and
what is from the respondent.
- Makes impossible to determine who said what when a reply
inserts comments inline with the quoted content.
---[end of comments]---
And what is your point? If the user is using ANY auto-login procedure
which automatically bypasses the login credentials then anyone can
boot that computer to get into that account. So just how is using an
auto-login process that stores the password in plain-text any less
secure than using the auto-login process in the first place? Duh!
Using auto-login obviates security. ANYONE can get into that Windows
account, and if it is an admin-level account then ANYONE also has
admin privileges on that host.
So just where in the registry do you think TweakUI stores the recorded
password in plain-text? You are proliferating outdated information.
If you had even looked at TweakUI's description of its auto-logon
feature, it says the password is encrypted. When TweakUI's auto-logon
feature is enabled:
- The following registry key is created or modified:
key = HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
data name = AutoAdminLogon
data value = 1
If the data item is missing (not defined) or 0, auto-logon is not
enabled. TweakUI will create the data item with a value of 1 (when
you enable auto-logon) or delete this data item (when you disable
auto-logon).
- If you follow the instructions at
http://support.microsoft.com/kb/315231/en-us, yes, you are saving the
password as a plain-text value in the DefaultPassword data item.
TweakUI does NOT create this data item anymore. It does NOT save your
login password as a plain-text value in the registry. Test this for
yourself. Enable auto-logon in TweakUI, enter your login username,
click the Password button and enter it, and click Apply. Now go
searching through your registry for a string that matches on your
password. You won't find it.
I am using TweakUI 2.10.0.0 for Windows XP (SP1 and up). Maybe you
are using an older version of TweakUI that followed the KB article
which would result in saving your password in plain-text in a data
item in the registry. The latest version of TweakUI uses the
Microsoft Cryptographic Application Programming Interface (CryptoAPI)
to store the password in an encrypted part of the registry or in a
disk file depending on which NT-based version of Windows you are
using. You can see the list of CSPs (Cryptography Service Providers)
by looking under
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider. The default
CSP for the current logged on user is found listed under
HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001.
Under Windows NT, CSPs store their key containers in two locations of
the system registry: HKCU\Software\Microsoft\Cryptography\UserKeys and
HKLM\Software\Microsoft\Cryprography\MachineKeys. The first is usually
used by a stand-alone application and the second by a process running
on behalf of a non-interactive user, such as an IIS/ASP application.
However, in Windows 2000, Microsoft moved from storing the encrypted
data in the system registry to storing it in the file system under
"%userprofile%\Application Data\Microsoft\Crypto\RSA\<userSID>" and
"\Documents and settings\All Users\Application
Data\Microsoft\Crypto\RSA\Machinekeys". By entering your logon
username, you specify which profile under which to retrieve the
encrypted data that is your logon password. So whether the password
is encrypted or not depends on whether you use an old or new version
of TweakUI. Make sure you use a later (or latest) version of TweakUI
that encrypts the password rather than save it as plain-text in the
registry.
But so what if the password were not encrypted? If you are
automatically bypassing the logon, you have bypassed security. No one
needs the plain-text version of your password. They don't need it.
You opened your computer so ANYONE can automatically log into your
account when they reboot the host. You unlocked the door and then
left it open for the flies and vermin to come in and infest your home.
