Re: [PATCH] Obfuscate auth info

From: Alex Holst <a_at_mongers.org>
Date: 2006-10-19 10:42:23 CEST

Quoting Ph. Marek (philipp.marek@bmlv.gv.at):
> I'd like to throw in that even on OS with a "password storage mechanism" (like
> WinNT, WinXP etc) that stores a *cleartext* equivalent in the registry.
> If you say "connect this windows share, remember my password" the password is
> stored as a LanMAN hash - which is *exactly* what is needed to connect to the
> remote site, and can be used for this purpose.

Simply not true. While there may be some brain dead applications left
for Windows that try to store passwords themselves, a full API has
existed for years that allow applications to safely manage passwords in
a properly protected store. See chapter 9 af "Writing Secure Code 2nd",
which covers this is great detail, or, look for the DPAPI documentation on
MSDN.

As far as I know, the identical facility in MacOS X is just as safe as the
one in Windows.

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                http://a.mongers.org 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Thu Oct 19 10:42:38 2006

This message: [ Message body ]
Next message: David Anderson: "Re: [PATCH] Obfuscate auth info"
Previous message: Samay: "Re: [PATCH] Obfuscate auth info"
In reply to: Ph. Marek: "Re: [PATCH] Obfuscate auth info"
Next in thread: Samay: "Re: [PATCH] Obfuscate auth info"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]