Re: Security flaw: subversion stores passwords by default / Proposal

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Sat, 22 Mar 2008 18:57:43 -0400

"Deven T. Corzine" <deven_at_ties.org> writes:
> However, once you've chosen to store passwords, they should at least
> be obscured from casual viewing. Even if it's just Base64-encoded,
> that's better than plaintext passwords. At least it requires a
> positive step to decode the password, which won't happen by accident.
> An administrator could stumble across the plaintext password by
> accident, compromising the password unintentionally. No, it's no more
> secure from an attacker, but it's still an improvement.

Actually, personally I agree with that, but IIRC I lost that argument
years ago (and don't feel strongly about it).

CVS does trivially scramble passwords in just the way you describe, for
the reason you give.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-22 23:58:34 CET

This message: [ Message body ]
Next message: John M. Black: "Re: Ignore patterns should not be case sensitive (usability)"
Previous message: Deven T. Corzine: "Re: Security flaw: subversion stores passwords by default / Proposal"
In reply to: Deven T. Corzine: "Re: Security flaw: subversion stores passwords by default / Proposal"
Next in thread: Vincent Lefevre: "Re: Security flaw: subversion stores passwords by default"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]