[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svnserve password store in clear text

From: Ng, Wey Han <weyhan.ng_at_atosorigin.com>
Date: 2004-06-03 08:39:53 CEST

> -----Original Message-----
> From: Jon Foster [mailto:jon@jon-foster.co.uk]
> Sent: Thursday, June 03, 2004 3:21 AM
>
> Also, it stops administrators from seeing the password accidentally.
> E.g. I run a small SVN server at my company, but I'm not a proper
> system administrator. Users want to use the same password for the
> SVN server as for the network. However, users don't want me to know
> their password, and I actively don't want to know their passwords.
> With the current system I have to see all their passwords - if the
> system used a password hash then users could just send me that hash.

This is exactly my concern when I raise the issue. Although I have already
written a shell script as a cgi script to make password changes over the web
interface, rather then getting the user to send me the hash. I have found
that getting the user to send me the hash reduce the comfort feeling for the
user.

> Although theoretically I might be able to use a brute-force or
> dictionary attack against their password, I'm not going to.
> (Even reversible encryption/obfuscation on the password would meet
> this goal).

Yeah. Same here. BTW, how did you manage to read my mind so completely? :)

Regards,

Han.

----
Ng, Wey-Han
Atos Origin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jun 3 16:34:22 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.