[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Obfuscate auth info

From: Alex Holst <a_at_mongers.org>
Date: 2006-10-19 10:42:23 CEST

Quoting Ph. Marek (philipp.marek@bmlv.gv.at):
> I'd like to throw in that even on OS with a "password storage mechanism" (like
> WinNT, WinXP etc) that stores a *cleartext* equivalent in the registry.
> If you say "connect this windows share, remember my password" the password is
> stored as a LanMAN hash - which is *exactly* what is needed to connect to the
> remote site, and can be used for this purpose.

Simply not true. While there may be some brain dead applications left
for Windows that try to store passwords themselves, a full API has
existed for years that allow applications to safely manage passwords in
a properly protected store. See chapter 9 af "Writing Secure Code 2nd",
which covers this is great detail, or, look for the DPAPI documentation on
MSDN.

As far as I know, the identical facility in MacOS X is just as safe as the
one in Windows.

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                http://a.mongers.org 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Oct 19 10:42:38 2006

This is an archived mail posted to the Subversion Dev mailing list.