Reliable Software Technologies, a Sterling, Va., software-security company, said Tuesday that two RST engineers needed just eight hours to duplicate the mathematical algorithm Netscape Mail uses to scramble users' passwords. The company said the problem affects all current versions of Netscape.
Gary McGraw, vice president for corporate technology at RST, said the Netscape algorithm was "not an obvious sitting duck -- [the password] appears to be scrambled up in a good way, but it's not cryptographically strong." That would allow a determined hacker to reverse-engineer the algorithm and figure out the password.
According to RST, the engineers who found the security hole came upon it inadvertently. They were writing a program "to look for badly protected key material, like passwords," says Dr. McGraw, adding that to test the program's validity, they ran it against Netscape's e-mail system because it's a highly popular software system that millions of people use.
According to Dr. McGraw, the engineers ran their program against their own e-mail accounts and noticed scrambled versions of their passwords in the "registry" files maintained by the Windows operating system.
Algorithm not secure
The passwords recorded in the Windows registry weren't saved verbatim, but scrambled by a proprietary algorithm of Netscape's. But that algorithm isn't secure, RST said. By changing their passwords and then checking the registry file repeatedly, RST's engineers were able to decipher the pattern Netscape used to scramble them.
"We entered in passwords like 'a' and waited to see what would come out," Dr. McGraw said. "Then we kept changing it. Now it's 'a,' now it's 'b,' now it's 'ab.' "
Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that "computer experts could still access the information, in case someone forgot their password."
At odds over existance
Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent.
"As it stands now, we view this as a machine problem, not a Netscape problem," he said.