[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion reveals passwords

From: Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk>
Date: Mon, 7 Apr 2008 11:12:47 +0000 (UTC)

Karl Fogel <kfogel_at_red-bean.com> wrote:

> Duncan Booth <duncan.booth_at_suttoncourtenay.org.uk> writes:
>> That isn't the only option. For example you could store a hash
>> locally and transfer a hash of the hash. That way you still aren't
>> sending the stored value across the network (and you can use a
>> challenge response system to ensure the value which is sent is
>> different every time) but if the stored password is leaked the
>> original plaintext password (which may be being used for other
>> systems too) isn't compromised.
> But then the stored hash becomes, effectively, the plaintext password,
> and we are still storing it locally.
> (Work it out, you'll see what I mean.)

Phil Marek understood my point: access to the Subversion repository is
neither more nor less secure than before, but compromising the hashed
password used by Subversion would no longer compromise other systems where
the same plaintext password was being used.

To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-07 13:13:10 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.