Security update: passwords on your computer

January 2008

We'd like to update you on a vulnerability that we have found, to do with saving passwords on your computer.

If you ever click 'Yes' to a request to remember your password (in, for example a web browser), then that password is stored locally on your computer. The understanding has always been that the password is encrypted and cannot be unscrambled and retrieved by someone else.

It's no longer safe to store passwords in this way

There are now programmes freely available on the internet that allow people to access and un-encrypt any of the passwords on your personal computer, your corporate server, or indeed any piece of IT equipment connected to the internet. And there are lots of ways in which people can get this programme onto your computer. These include:

• Sending it to you as an attachment, or hidden in an attachment on an email

• Plugging a USB drive or CD-ROM into your computer

• Accessing your computer across a corporate or home network

• Hiding it in something legitimate that you download from the web

... the possibilities are numerous.

Once the application is on your machine it only needs to run once before it can send all your secure passwords out over the internet to the person that sent it.

So what programmes could be affected?

Almost any programme you care mention including all web browsers, instant messenger and email applications, VNC and remote desktop. Some specialist IT admin applications are not affected

And what should I do to protect myself?

First, take care to not save any passwords on your computer. Do this by clicking 'No' when an application asks you 'do you want this application to remember your password.

If you use Internet Explorer, go to 'Tools' - 'Delete browsing history' - 'delete passwords'. Other web browsers will have similar facilities and we recommend you use them.

If you have any other concerns or wish to discuss other ways of protecting your computers and your business, please contact us.