Re: Feature Request: clients shouldn't store auth-creds

From: Michael W Thelen <mike_at_pietdepsi.com>
Date: 2005-01-04 19:07:10 CET

Ben Collins-Sussman wrote:
>> That's the kind of situation that it might be nice to avoid by
>> default, even if just by trivially scrambling the password.
>
> I've argued for a trivial scrambling in the past (like CVS does), but
> some folks are strongly against this, feeling that it will convey a
> false sense of security.

Oops, even after that whole anecdote, I forgot the point I was trying to
make. :-)

I would be in favor of a trivial scrambling of passwords, but I'm even
more in favor of not caching credentials by default. They're two
related but separate issues. The first thing that went wrong in my
story was forgetting to edit ~/.subversion/config, so passwords were
accidentally cached. The accidental nature of it bothers me more than
the plain text passwords. With credential caching off by default, at
least such accidents would be much less likely.

-- 
Michael W Thelen
It is a mistake to think you can solve any major problems just with
potatoes.       -- Douglas Adams

application/pgp-signature attachment: OpenPGP digital signature

Received on Tue Jan 4 19:10:49 2005

This message: [ Message body ]
Next message: Ben Collins-Sussman: "Re: [PATCH] [BUG] fsfs truncates rev-props - bug on full fs"
Previous message: Ben Collins-Sussman: "Re: Feature Request: clients shouldn't store auth-creds"
In reply to: Ben Collins-Sussman: "Re: Feature Request: clients shouldn't store auth-creds"
Next in thread: kfogel_at_collab.net: "Re: Feature Request: clients shouldn't store auth-creds"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]