Ben Collins-Sussman wrote:
>> That's the kind of situation that it might be nice to avoid by
>> default, even if just by trivially scrambling the password.
> I've argued for a trivial scrambling in the past (like CVS does), but
> some folks are strongly against this, feeling that it will convey a
> false sense of security.
Oops, even after that whole anecdote, I forgot the point I was trying to
I would be in favor of a trivial scrambling of passwords, but I'm even
more in favor of not caching credentials by default. They're two
related but separate issues. The first thing that went wrong in my
story was forgetting to edit ~/.subversion/config, so passwords were
accidentally cached. The accidental nature of it bothers me more than
the plain text passwords. With credential caching off by default, at
least such accidents would be much less likely.
Michael W Thelen
It is a mistake to think you can solve any major problems just with
potatoes. -- Douglas Adams
Received on Tue Jan 4 19:10:49 2005