CA-2001-01 Viscosity Breakdown in Common Password Storage Devices

Original release date: June 3, 2001

A complete revision history is at the end of this file.

Systems Affected

  • Any password storage device that relies on viscous material.

Overview

Password storage devices that rely on viscous material may experience viscosity breakdown over time, rendering these devices less effective. In some cases, passwords may be lost completely.

I. Description

Background

Due to problems surrounding user memory, it is a somewhat common practice to store passwords and pass phrases somewhere they can be later retrieved by the user.

One common technique for protecting passwords is to store them on a device which relies on viscous material to maintain their usefulness. The most common of these devices is produced by 3com and is known as the Post-It.

Over time, viscous material may be exposed to unexpected input, such as dust, hair, and lubricants. Eventually, these devices reach a point of “viscosity breakdown” where their viscous nature is impeded and they no longer function as designed.

While the device may still retain the password or pass phrase, the exact location of the storage device may vary.

II. Impact

When viscosity breakdown occurs, two serious issues may be experienced by users of these devices.

  • Inability to locate and/or access passwords/ pass phrases.
  • Password/pass phrase exposure.

Either of these issues can result in severe harm, though the second presents more opportunity for malicious users.

III. Solution

Solutions for Users

CUSERT is currently unaware of any real solutions to this problem, however a workaround exists. A CUSERT representative pretending to be a 3com representative suggested that UNIX/Linux users restart their viscous storage devices on a regular basis. Windows and Macintosh users must replace the device.

UNIX/Linux users can do this by sending a hangup signal to the device.

kill -HUP /dev/post-it

Red Hat users can use this command:

/etc/rc.d/init.d/post-it restart

The spokesman suggested implementing this as a cron job.

For enhanced backup security, it is recommended that you also post your passwords and pass phrases on your website if you have one.

CERT/CC Contact Information

Email: [email protected]

Phone: +1 900-IMA-USER (24-hour hotline)

 

CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Getting security information

CUSERT publications and other security information are available from our web site

https://www.bhodisoft.com/CUSERT/

Copyright 2001 Blake R. Swopes.


NO WARRANTY
Any material furnished by Computer User Stupidity Emergency Response Team/Coordination Center is furnished on an “as is” basis. CUSERT makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. CUSERT does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Revision History

June 3, 2001: Initial release.
December 25, 2012: Moved to new CMS.

One thought on “CA-2001-01 Viscosity Breakdown in Common Password Storage Devices”

Comments are closed.