Utility could reveal password cache

To its makers, it helps absent-minded computer users who can't remember all their passwords.

To Microsoft (MSFT), it's a menace.

The utility in question is called Revelation, software that reveals the hidden ISP, email, or corporate network passwords stored in the password cache of Windows 95. Win95 users who want to avoid retyping passwords each time they need them have the option of storing passwords in this cache, where they are represented by asterisks rather than plain text. Revelation reveals the text behind the asterisks.

With numerous passwords to remember, users are likely to take advantage of applications and software that alleviate some of the memory strain. "It's the classic trade-off between convenience and security," said Microsoft spokesperson Jon Roberts.

Roberts recommends that users reduce the number of different passwords they use in order to avoid relying on the password cache. The simplest way to avoid the Revelation menace is not to use that cache at all.

In a bulletin posted yesterday on its Web site, Microsoft advised security-conscious Windows 95 users to leave the Remember My Password box unchecked if there's any chance Revelation has been downloaded onto the user's computer.

In addition, the company said the software represents a security concern only if the computer running the software is left unattended. Remote access, according to Microsoft, is not an issue in this case.

Revelation, created and offered as freeware by SnadBoy Software, is designed for Windows 95 only. The utility doesn't work with Windows NT Workstation or Server, according to Microsoft.

Roberts declined to characterize the Revelation threat as a Windows 95 security hole. "We don't consider it a loophole. I would think of it more as a vulnerability."

Windows 98 is expected to be similarly vulnerable, said Roberts.