Hello users, I got bored today and started playing with the account passwords. I remember someone posting a while back that you could move a folder from a passworded account to another account and read the messages in TB. After confirming this, and confirming that an account password is stored in the account.cfg file, I did the below: 1. Made a backup of the account.cfg in case I screwed up. 2. In TB, I passworded an account 3. Using Textpad, I opened both the account.cfg and my backup 4. I compared the sections where the account password appeared and then just deleted the account password in account.cfg, I also removed some blank characters (or they appeared that way in Textpad.) It happened to be three blank characters, and wouldn't you know it, I was short three null characters in the resulting account.cfg line where the account password had appeared. 5. Just for S&Gs, I didn't replace them and saved account.cfg 6. Closed and restarted TB 7. The passworded account was no longer passworded. This is a major bummer in two aspects. The first is that obviously a moved message.msb should not be readable by TB when moved to another account. Speaking of which, I couldn't figure this one out. After passwording an account, the messages.msb appears encrypted (at least to plaintext editors). After moving the "encrypted" messages.msb to an unpassworded account which TB can then read, the messages.msb file still appears "encrypted" to plaintext editors. Is it encrypted or what? If so, it appears independent of the account password, so maybe just an XOR or something which TB can recognize and undo. Secondly, although I realize that moving the messages.msb is simpler than editing out the password, there should be some sort of hash or checksum that will recognize that something is missing in the account.cfg. Granted, every time that you change an account setting, the checksum/hash would have to be recalculated, but once you have an account set up, you really don't mess with its properties after that (other than to maybe add quick templates or cookies (if not using an external cookie file.) My point is that I don't see the use of password protecting your account except to keep nosey but non-computer savvy people from reading your mail. Actually, I was playing with all of the files in the TB directory as well as the registry. Does anyone know what the below are for? account.m_d account.m_r The difference between account.qtn and account.qtp. Both are for quicktemplates, but differ just a little. The difference between account.srt and account.srx. Both are for filters, but differ just a little. Are the number of entries in the account.log determined by time or actual number of entries. It appears to be for the last 24 hours maybe (just at a quick glance at mine.) I'm probably wrong though. In account.fpf I saw many entries for folders I deleted a while back ago. Does the option of wiping the folder or just moving it to trash affect whether the entry is left in this file? Well, enough dinking around. I hope RIT Labs doesn't hate me for pointing out the security holes. :-( BTW, I only posted this to TBBETA because I think most of us are a little more mature here. However, security through obscurity isn't much security anyway. Just look what I found out in 15 minutes of playing around. Cheers, Leif Gregory <[EMAIL PROTECTED]> ICQ - 216395 -- PCWize - <http://www.pcwize.com> A free weekly e-zine for both newbies and advanced users sent directly to your inbox. Web site and software reviews, technology news, tips and tricks, security alerts, and in-depth "How they work" articles on computers and the Internet. Using The Bat! 1.38 Beta/6 under Windows 98 4.10 Build 1998 on a Pentium 266 with 64MB. " -- -------------------------------------------------------------- View the TBBETA archive at http://tbbeta.thebat.dutaint.com To send a message to the list moderation team double-click HERE: <mailto:[EMAIL PROTECTED]> To Unsubscribe from TBBETA, double-click HERE: <mailto:[EMAIL PROTECTED]> --------------------------------------------------------------
