[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Obfuscate auth info

From: Branko Čibej <brane_at_xbc.nu>
Date: 2006-10-19 10:11:58 CEST

Ph. Marek wrote:
> On Wednesday 18 October 2006 23:57, Alex Holst wrote:
>> I claim that, regardless of what warning might appear in the password
>> file, obfuscated auth data will result in many users/admins/managers
>> thinking it takes a lot of effort to recover their password. Anyone who
>> has ever dealt with users or managers knows I'm not kidding.
>> Which is greater? The cost of educating users who post to the mailing
>> list about clear text passwords or the very likely possibility that
>> a user will shoot themselves in the foot because they didn't feel a need
>> to investigate ssh keys, certs or kerberos auth?
> I'd like to throw in that even on OS with a "password storage mechanism" (like
> WinNT, WinXP etc) that stores a *cleartext* equivalent in the registry.
> If you say "connect this windows share, remember my password" the password is
> stored as a LanMAN hash - which is *exactly* what is needed to connect to the
> remote site, and can be used for this purpose.

AFAIK, since at least Windows 2000, the LanMAN hash is no longer stored
in the registry by default. Guess why.

It is *not true* that any password storage mechanism is insecure ...
Mac's keychain, or Window's FS encryption certificate, can only be
unlocked with the user's password -- that's done exactly once when the
user logs in, the session keys are stored in secure memory (presumably)
and go away when the user logs out.

-- Brane

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Oct 19 10:12:33 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.