Author Topic: Password cache in memory  (Read 10319 times)

Offline csharpmania

  • Newbie
  • *
  • Posts: 1
Password cache in memory
« on: November 03, 2012, 06:55:59 PM »
Hi,
I can see warning from TrustConnect. Message on end of this text. What should i do to protect and encrytp all of my network traffic from others ?

Warning Message which i got :
"this configuration may cache passwords in memory -- use the auth-nocache option "

Offline dlimonov

  • Comodo Loves me
  • ****
  • Posts: 142
Re: Password cache in memory
« Reply #1 on: November 05, 2012, 02:55:25 AM »
Hi,
This option is used for user's convenience to prolong the session automatically.
If you disable this option you would have to re-enter your password
every 30 minutes because the TLS ciphers need to be renewed.
The password is stored in TrustConnect memory space, which is unlikely to be accessible
for viruses and other malware.

Offline kama50

  • Newbie
  • *
  • Posts: 16
Re: Password cache in memory
« Reply #2 on: April 25, 2013, 04:04:12 PM »
I am interested in getting further clarification on the meaning of:

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

In the previous post, it implies that the purpose is just to keep one logged in, and I suppose logged into TrustConnect.  However, if that is the case, then shouldn't there only be ONE password to worry about?  Why is the comment referring to multiple passwords?

It sure would be nice to know exactly who is caching this information, where, and why.  After all, the whole purpose is for security, so when you see a message like this, it doesn't make one feel warm and fuzzy.
CIS Complete 2012

Offline dlimonov

  • Comodo Loves me
  • ****
  • Posts: 142
Re: Password cache in memory
« Reply #3 on: April 26, 2013, 03:33:26 AM »
If --auth-nocache isn't specified, TrustConnect saves the username/password in memory.
That means that, if the connection is lost and TrustConnect needs to reconnect (which it usually does automatically), it won't have to ask you - it will retrieve username/password from memory and send them to the server automatically, without bothering you.
WARNING: this configuration may cache passwords in memory...  - this is just a warning that means it would be theoretically possible to steal your password, should someone have access to your virtual memory (windows pagefile). It's very unlikely.
Directive --auth-nocache should be used to prevent cache password in memory. If specified, this directive will cause TrustConnect to immediately forget username/password inputs after they are used.
As a result, when TrustConnect needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an TrustConnect session.
Quote
However, if that is the case, then shouldn't there only be ONE password to worry about?
This refers to only one password.
« Last Edit: April 26, 2013, 03:36:46 AM by dlimonov »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek