Re: dont-save-plaintext-passwords-by-default branch done (2nd try)

From: Arfrever Frehtes Taifersar Arahesis <arfrever.fta_at_gmail.com>
Date: Thu, 1 May 2008 17:35:50 +0200

2008-05-01 14:19:38 Stefan Sperling napisał(a):
> On Wed, Apr 30, 2008 at 08:52:21PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > What is the behavior wrt empty passwords?
> > IMHO they should be stored plaintextly without prompting.
>
> Why?
>
> We want to make people aware when Subversion can only store
> passwords in plaintext in their setup, regardless of the strength
> of their password. Having a special case like this does not help
> us achieve that goal.

I think that empty passwords aren't worth prompting user.
I suggest this behavior only for 'store-plaintext-passwords = (yes|ask)'.

> Also, an "empty" password arguably means the password is
> 'hit the enter key', so it can still be considered a password,
> albeit a ridiculously weak one.

I mean that empty passwords are sometimes used for anonymous users
with read-only access, so there's no security risk here.
E.g.: http://viewvc.org/download.html

-- 
Arfrever Frehtes Taifersar Arahesis

application/pgp-signature attachment: This is a digitally signed message part.

Received on 2008-05-01 17:42:36 CEST

This message: [ Message body ]
Next message: epg_at_google.com: "Re: "svn resolve --accept=mine-full" is not loggy"
Previous message: Stefan Sperling: "Re: Review of dont-* branch"
In reply to: Stefan Sperling: "Re: dont-save-plaintext-passwords-by-default branch done (2nd try)"
Next in thread: Stefan Sperling: "Re: dont-save-plaintext-passwords-by-default branch done (2nd try)"
Reply: Stefan Sperling: "Re: dont-save-plaintext-passwords-by-default branch done (2nd try)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]