[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dont-save-plaintext-passwords-by-default branch done (2nd try)

From: Stefan Sperling <stsp_at_elego.de>
Date: Thu, 1 May 2008 18:47:38 +0200

On Thu, May 01, 2008 at 05:35:50PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> 2008-05-01 14:19:38 Stefan Sperling napisaƂ(a):
> > On Wed, Apr 30, 2008 at 08:52:21PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > > What is the behavior wrt empty passwords?
> > > IMHO they should be stored plaintextly without prompting.
> >
> > Why?
> >
> > We want to make people aware when Subversion can only store
> > passwords in plaintext in their setup, regardless of the strength
> > of their password. Having a special case like this does not help
> > us achieve that goal.
>
> I think that empty passwords aren't worth prompting user.

Well, it may depend on the use case. We're prompting exactly because
we cannot be sure that saving by default will be OK in all cases
where people might end up using an empty password.

> I suggest this behavior only for 'store-plaintext-passwords = (yes|ask)'.

I think we should not be using 'yes' when the user wants 'ask',
no matter what the password is.

> > Also, an "empty" password arguably means the password is
> > 'hit the enter key', so it can still be considered a password,
> > albeit a ridiculously weak one.
>
> I mean that empty passwords are sometimes used for anonymous users
> with read-only access

Yes, I guessed this was what you meant.

> , so there's no security risk here.

Keep in mind that we're not handling the security risk of storing
plaintext passwords in any way. We're just trying to make sure people
know what will happen when their password gets saved. Judging
the security issues involved is up to the user, not us.

I understand that you mean to be helpful to users in a very
common use case (anonymous checkout), but I don't think we
should make any exceptions like this right now. There may be
other cases where silently saving an empty password (which
is easily recognisable as such in the plaintext auth cache) may
make someone really, really unhappy.

That said, if many users (or many developers) say they want this,
no problem, we can do it. But I would like to see our users' reactions
to the prompt and get some feedback before deciding whether we should
make an exception for empty passwords. Because what we want to achieve
here is giving our users a choice, and we don't want to be deciding
things about the delicate 'plaintext password storing' issue for them,
like we used to.

(Since we probably can't make everyone happy either way, we could
also add yet another option: "store-empty-passwords-in-plaintext" ;)

-- 
Stefan Sperling <stsp_at_elego.de>                    Software Monkey
 
German law requires the following banner :(
elego Software Solutions GmbH                            HRB 77719
Gustav-Meyer-Allee 25, Gebaeude 12        Tel:  +49 30 23 45 86 96 
13355 Berlin                              Fax:  +49 30 23 45 86 95
http://www.elego.de                               CEO: Olaf Wagner
 
Store password unencrypted (yes/no)? No

  • application/pgp-signature attachment: stored
Received on 2008-05-01 18:47:10 CEST

This is an archived mail posted to the Subversion Dev mailing list.