In an eight-hour period, the Dulles, Va.-based firm's engineers were able to duplicate the algorithm used to scramble an individual's mail password, the company claims.
"There is a better algorithm out there that could be used by Netscape that would raise the bar much higher than the one they're using now," said Gary McGraw, vice president for corporate technology at RST. "I guess they're acting like it's a silly algorithm but there is no perfect solution so [they'll] stick with this. I think they should say there is no perfect solution so let's have a better algorithm."
Representatives from Netscape, a unit of America Online, were unavailable for comment.
Many people use their email password as their password for other applications, both at work and at home. A malicious attacker could use the victim's password, gleaned from an insecure home machine, to log on to other corporate systems, the company warned.
The attacker can then take control of the machine, read sensitive information, use the account to attack more privileged accounts, and set up a remote monitoring system inside a corporate network.
For a Netscape mail password to be decoded, a small program must be run on the computer where the password is saved, the company explained.
So far, the workaround is that users should refrain from saving their passwords to avoid having them sent to the preferences file where attackers can access them.