[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] obscure password

From: Marcus Rueckert <darix_at_web.de>
Date: 2006-03-12 23:04:30 CET

On 2006-03-12 13:46:39 -0800, HIROSHIMA Naoki wrote:
> Fair enough. But if you would really want to appear as insecure as it
> is, I would like to suggest two things.
>
> 1) add a note in the explanation of "store-passwords" in .subversion/config.
>
> 2) make "store-passwords" default to "no".
>
> In this way, people, who might find being asked their password every
> time very annoying, will need to find that "store-passwords = yes" is
> needed to avoid it. And the note like, say, "Your password will be
> stored in cleartext in ~/.subversion/auth/..." will be given to them.
>
> In current way, many people don't even realize that their password is
> being stored in plaintext. Giving no information might be better than
> giving a false sense but giving a note is better than giving no heads-up
> in my opinion.
>

i agree with a warning it is stored in plaintext on anything but osx and
windows. the 2 use encrypted storage.

but you should keep in mind it generates those files were a very strict
permission set. so it is normally only readable by you and root.
and you should have some minimal trust to the adminstrator of your box.

and base64 encode the password doesnt give you anything. most admins
know how to decode base64. so in the end i agree with karl. there is no
extra security gained.

darix

-- 
           openSUSE - SUSE Linux is my linux
               openSUSE is good for you
                   www.opensuse.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Mar 12 23:05:07 2006

This is an archived mail posted to the Subversion Dev mailing list.