Haypo Blog

To read your emails, use Subversion, connect to Jabber, and use many other services, you have to specify your login and password. Most applications propose to store them somewhere to avoid to repeat them next time. But where are your passwords stored? And how are they stored?

I wrote a dummy program to list stored password on a classic Linux environment: Lamer (website in french, source code written in english). It supports a few applications:

• Email, instant messaging, IRC: gajim, pidgin (gaim), konversation, evolution
• FTP client: gftp, ncftp and yafc
• Other: svn and pypi

Only gftp used a dummy cipher, all other applications store passwords without encryption (base64 is not an encryption algorithm). Exceptions: gajim/pidgin supports Gnome Keyring (when it’s available, eg. not on KDE).

During one week, I was looking for my wifi passphrase on Gnome. Wifi is actived by the NetworkManager which has a daemon. The manager uses the Gnome Keyring which is encrypted. But just after GDM login, the wifi is already ready without any specific action (Gnome doesn’t ask for my Keyring password!). The reason is that Gnome Keyring uses two keyrings: system keyring and personal keyring. The first one has the same password than my UNIX account and is opened by libpam-gnome-keyring.

I wrote a file parser in Hachoir for Gnome Keyring: gnome_keyring.py. The file format is quite simple. There are two layers. First one is not encrypted and contains keyring name, timestamps, salt and hash iterations. The second layer is encrypted using the SHA256 hash of the user password + salt and contains the passwords. The SHA256 function is applied hash iterations times on the key (eg. 1526 iterations!). This trick should be used to avoid use a of the Rainbow Tables.

Ideas to go further: use plain password (eg. from Lamer) to try to open keyrings (KWalletManager, Gnome Keyring and Firefox Password Manager) since most users use the same passwords everywhere…

Tags: password, security

This entry was posted on Tuesday, May 20th, 2008 at 23:50 and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.