Hashed deault password

Any feature you'd like to see in Ultr@VNC? Just propose it here.

Hashed deault password

Postby hydrian » 2014-10-15 18:49

Ello,
I'd like a recommend a security enhancement. I know that UltraVNC used the store the default VNC password in clear text in the registry. This allows a bad admin or program to scavenge the passwords if it happens to to have access to the registry key.

I propose that we should store the default password in a one way seeded hash. This way if a registry entry is left insecure (default installation) even is the entry is read, the default password is not known.
hydrian
 
Posts: 1
Joined: 2014-10-15 15:46

Re: Hashed deault password

Postby Rudi De Vos » 2014-10-15 21:21

There is no default password, the initial password has a random value.
The password is saved the ultravnc.ini file with some weak des encryptionn, we don't use the registry.

The password is encrypted with some weak des encryption as the server need to be able to decrypt.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5324
Joined: 2004-04-23 10:21


Return to Feature requests

Who is online

Users browsing this forum: No registered users and 1 guest

cron