VNC very insecure

Any feature you'd like to see in Ultr@VNC? Just propose it here.

VNC very insecure

Postby Mr Faber » 2004-10-03 08:16

Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 :) ). If you activate the secure option the old values have to be removed.

CU
Mr Faber
Mr Faber
 
Posts: 3
Joined: 2004-07-12 12:51

Postby Rudi De Vos » 2004-10-03 18:10

Direct registry hacking

The risk is limited, you need a standard windows password to get access to the registry.

If you can get access, you can change the password without
the need to crack it.
If you have physical access, you can boot from a linux cdrom
and even change the administrator account. AFter that you can do what you want.


Net sniffering and packet capturing

This is possible, for external connections you should always use some kind of extra encryption.
If somebody insite you network is capable of doing this, be sure he has 100 other ways of getting access. 99% of the security breaks are caused by users, how many bosses have there password on the bottom of there keyboard, or secured document are printed and left on the desk.
Rudi De Vos
Admin & Developer
Admin & Developer
 
Posts: 5909
Joined: 2004-04-23 10:21

Postby Sir Nigel » 2004-10-04 04:04

This is an old issue. Just make sure you use the mslogon and you should be fine.
This space not for rent.
Sir Nigel
20
20
 
Posts: 48
Joined: 2004-05-24 03:20
Location: Texas

Re: VNC very insecure

Postby lenisham » 2004-10-04 10:51

Mr Faber wrote:Is it possible to use SHA1 or an other secure hash instead of the old method because it seems to be very easy to crack the password from the registry.
http://phenoelit.de/fr/protos.html#VNC
Maybe there can be an option for compatible (insecure method) or new ultravnc password storing (with SHA1 or maybe SHA-256 :) ). If you activate the secure option the old values have to be removed.

CU
Mr Faber


As long as we're on the subject when will the file transfer require a password before allowing a connection and file transfers?
lenisham
40
40
 
Posts: 104
Joined: 2004-06-24 07:00


Return to Feature requests

Who is online

Users browsing this forum: No registered users and 1 guest