Re: [PATCH] don't store plain-text passwords by default

From: Stefan Sperling <stsp_at_elego.de>
Date: Fri, 18 Apr 2008 02:53:38 +0200

On Thu, Apr 17, 2008 at 01:11:14PM -0400, Greg Hudson wrote:
> Fundamentally, people are going to save their passwords if they don't
> have an acceptably convenient alternative. Keyring-type solutions are
> acceptably convenient; retyping your password for every network command
> is not. We can change the default, but it's not going to make anyone's
> usage scenario more secure than it is now.

I don't think that many people will type their passwords over and over
again either. Many will set 'store-plaintext-passwords = yes' to avoid
having to type it all the time. And be happy.

Others will use WinCrypt, Keychain, and (in the future) Gnome Keyring
and not notice any difference.

But a secure-by-default behaviour in the plaintext case is highly desirable.

I don't think people will mind enabling saving of plaintext passwords
as much as others mind Subversion saving plaintext passwords perceivably
behind their backs. Unless people read the documentation closely,
they are not made aware. Subversion doesn't even print a warning when
it saves a password in plaintext, it just does it. Many have already
found out about it after the fact and got angry (see links below).

> It might change a few perceptions, but it won't change any realities.

For one thing, it changes the perception that Subversion developers
don't give a damn about security (see first link in long list below).
People who really are into security and privacy take this kind of
stuff quite seriously. Any small loophole, however small, is a security
issue to them. And they extrapolate this to "Subversion isn't written
with security in mind." So they won't use Subversion.

There are many environments where storing plaintext passwords is
totally acceptable (single-user or even small multi-user workstations
where people trust each other and the admins). Just as there are many
environments where it is not acceptable (e.g. single sign-on environments
in companies and universities, or environments where admins and other
users can't be trusted).

The current behaviour is a sane default for the first type of
environment, and a disaster for the second type of environment,
because it facilitates accidental leaks of passwords.

The new behaviour introduced by the dont-save-plaintext-passwords-by-default
branch, where the patch being discussed now sits at, would be sane behaviour
for either environment.

At least one downstream packager uses a workaround to avoid the behaviour:
http://www.openbsd.org/cgi-bin/cvsweb/ports/devel/subversion/files/config

Companies have trouble deploying Subversion in some environments
because of this behaviour -- see another mail by me in this thread:
http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=137317

I myself remember many passwords and don't store plaintext passwords
on any medium whatsoever. (Just to indicate my itch behind this.)

People have been complaining about this forever. I really think we should
finally start listening to our users. I realise that many on this list
will have seen all of these messages below, given the amount of time most
of you have spent on Subversion (compared to myself).
I don't understand why people still want to keep putting up with these
complaints. These complaints are indeed very real. I would not sign them
off as merely perceptions.

A few other threads exist regarding plaintext passwords in
svnserve's passwd file, but that is a different issue.

-- 
Stefan Sperling <stsp_at_elego.de>                 Software Developer
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                 Geschaeftsfuehrer: Olaf Wagner

application/pgp-signature attachment: stored

Received on 2008-04-18 02:54:01 CEST

This message: [ Message body ]
Next message: Rui, Guo: "Re: Semantics of --depth: should define WC-depth for omitted-items?"
Previous message: Paul Burba: "Re: Time for RC4 or more issues?"
In reply to: Greg Hudson: "Re: [PATCH] don't store plain-text passwords by default"
Next in thread: Eric Gillespie: "Re: [PATCH] don't store plain-text passwords by default"
Reply: Eric Gillespie: "Re: [PATCH] don't store plain-text passwords by default"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]