[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion reveals passwords

From: Ph. Marek <philipp.marek_at_bmlv.gv.at>
Date: Mon, 7 Apr 2008 12:41:01 +0200

On Montag, 7. April 2008, Karl Fogel wrote:
> Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk> writes:
> > That isn't the only option. For example you could store a hash locally
> > and transfer a hash of the hash. That way you still aren't sending the
> > stored value across the network (and you can use a challenge response
> > system to ensure the value which is sent is different every time) but if
> > the stored password is leaked the original plaintext password (which may
> > be being used for other systems too) isn't compromised.
> But then the stored hash becomes, effectively, the plaintext password,
> and we are still storing it locally.
> (Work it out, you'll see what I mean.)
I think the rational is that the plaintext password, which might be used in
other systems too, cannot easily be recovered from the (hopefully salted)



To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-07 12:41:20 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.