[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dont-save-plaintext-passwords-by-default branch done (2nd try)

From: Arfrever Frehtes Taifersar Arahesis <arfrever.fta_at_gmail.com>
Date: Thu, 1 May 2008 17:35:50 +0200

2008-05-01 14:19:38 Stefan Sperling napisaƂ(a):
> On Wed, Apr 30, 2008 at 08:52:21PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > What is the behavior wrt empty passwords?
> > IMHO they should be stored plaintextly without prompting.
>
> Why?
>
> We want to make people aware when Subversion can only store
> passwords in plaintext in their setup, regardless of the strength
> of their password. Having a special case like this does not help
> us achieve that goal.

I think that empty passwords aren't worth prompting user.
I suggest this behavior only for 'store-plaintext-passwords = (yes|ask)'.

> Also, an "empty" password arguably means the password is
> 'hit the enter key', so it can still be considered a password,
> albeit a ridiculously weak one.

I mean that empty passwords are sometimes used for anonymous users
with read-only access, so there's no security risk here.
E.g.: http://viewvc.org/download.html

-- 
Arfrever Frehtes Taifersar Arahesis

Received on 2008-05-01 17:42:36 CEST

This is an archived mail posted to the Subversion Dev mailing list.