Hi Dario, > On 17 Jun 2019 (Mon), at 11:23, Dario Lombardo <lom...@gmail.com> wrote: > > Hi Sake > > On Mon, Jun 17, 2019 at 7:01 AM Sake Blok | SYN-bit <sake.b...@syn-bit.nl > <mailto:sake.b...@syn-bit.nl>> wrote: > Personally I don't like the option to have a central place to add credential > information to show to the user. I think this crosses the (very thin) line > between "being able to see a password" and "being a tool to extract > passwords". > > > Personally this is what I like of it :). But indeed this is a discussion > about lines crossed, so anybody's opinion and previous experience is welcome. > The line between see and extract sounds to me like the Richard's picture of > orchids. Wireshark can already extract the credentials: they are dissected > and put under the proper proto item with names like "auth", "credential", > "password", etc. This is rather different that "follow tcp stream" of an > undissected protocol, that contains credentials. The patch doesn't give more > "power" to the user: just instead of scripting tshark or jumping between > packets it makes easier reading them through a dialog. IMHO Wireshark is > already a tool to extract passwords.
I understand your point of view. However, needing a little more knowledge to extract passwords than just clicking on the "show me all credentials" is a good thing IMHO. If this feature is used to raise security awareness, then having a list of usernames with **** passwords to show for which users passwords are present in the pcap file is enough, no need to show the passwords themselves. If an individual password is needed, it can easily be obtained by going to the packet that has the password without showing all passwords in a list. To me for troubleshooting issues, it is sufficient to see the usernames and sometimes extract a password, but I do not need a list of them For security awareness, you do not need the passwords, just the protocol and username and the fact that the password is available in the pcap file For hacking you would want to have the full list, but then I would prefer people to use other available tools to keep Wireshark on the friendly side of the line. What use-case do you see for a list of all passwords (where a list of just the usernames is not enough)? > Just my €0,02 > > Taken ;). Make sure to collect them at a next Sharkfest ;-)
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
