[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Repository Passwords are in clear text?

From: Scott Palmer <scott.palmer_at_2connected.org>
Date: 2005-11-15 23:54:04 CET

On 15-Nov-05, at 5:38 PM, Mark Parker wrote:

> Scott Palmer wrote:
>> But you are correct, there are fairly easy things that can be done
>> to fix it. E.g. store the hash of the plaintext password, issue
>> a challenge from the server with a secure random number, the
>> client responds with the result of hashing the password hash
>> with the random number. The server checks that hashing the
>> stored hash with the random number yields the same value. The
>> data over the wire is random so sniffing doesn't help that much.
>
> That doesn't solve (or even change) the problem. You just turned
> the password from some easily-remembered number/word/phrase into a
> fixed-length hexadecimal string. The server still stores "piece of
> data a" and the client still uses "piece of data a" to respond to
> the server's challenge. Wheter or not "piece of data a" is derived
> from or is a hash of "piece of data b" is irrelevant.

Ultimately yes. I was only solving the issue of easily readable
plaintext passwords. So, for example the administrator could look at
the file without accidentally reading the private passwords of the
users.

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Nov 15 23:56:40 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.