Alex Holst wrote:
> Quoting Malcolm Rowe (email@example.com):
>> Obfuscating passwords solves two problems:
>> 1. It prevents accidental disclosure (e.g. 'grep -r pony ~', if your
>> password is 'i-want-a-pony', your non-malicious sysadmin reading
>> it by mistake, that kind of thing).
>> 2. It stops people complaining that "HEY SUBVERSION IS STORING MY PASSWORD IN
>> THE CLEAR!!1".
> Please don't do this. Whilte Such a change may stop users complaining,
> it won't stop subversion from storing the password (effectivly) in the
> None of this will stop attackers. And, while the change may indeed stop
> users from complaning, you'll simply end up with security professionals,
> like me, complaining that subversion "tricks" users into not
> investigating alternatives to plain text passwords.
Did you miss the part of the patch which writes the following to each
auth storage file?
WARNING! This file contains a version of your password that has been
slightly scrambled to avoid accidental disclosure.
The scrambled password is NOT ENCRYPTED in any way, and so you should
take the same care of it as you would your regular password.
C. Michael Pilato <firstname.lastname@example.org>
CollabNet <> www.collab.net <> Distributed Development On Demand
Received on Wed Oct 18 16:39:27 2006