Quoth Mark Parker <mailto:mark@msdhub.com>:
> That's what I'm saying... you didn't solve it. All you did
> was turn the easily readable plaintext passwords into
> something longer and harder to remember. If the administrator
> wanted to do something with your account, all he needs do is
> comment out the line that says "the_password =
> hash(the_password)" in the client and recompile. If the
> administrator wouldn't do that because he's trustworthy, then
> why not leave easily-readable passwords in the file?
Because there's a certain value in obfuscation -- it's the difference
between intentional snooping and inadvertant snooping.
If the passwords are stored in plaintext, then if the admin *ever* opens
the file then they can't help but see everybody's password. They get
the passwords shoved in their face, even if they were only opening the
file to add another user, and not to snoop.
If the passwords are stored in some obfuscated way (such as an MD5, or
even something reversible like base64) then sure, the admin can find out
what the password is (or do Evil Things with the account) if they want
to -- but they're the admin anyway, there's no way you can stop them
from doing evil if they want to. But what it does do is to prevent the
passwords from being shoved in the admin's face all the time.
I think Apache's .htpasswd files are a good compromise here. Passwords
are stored in base64, which is of course easily reversible, but it means
that a casual glance doesn't reveal passwords. You actually have to
open the file with the intent to extract passwords to do so.
(And the fact that an MD5 is "harder to remember" is completely
irrelevant -- nobody needs to memorise them anyway; any hashing is done
by either the server or client software.)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Nov 16 00:39:23 2005