[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dont-save-plaintext-passwords-by-default branch done (2nd try)

From: Arfrever Frehtes Taifersar Arahesis <arfrever.fta_at_gmail.com>
Date: Thu, 1 May 2008 20:18:56 +0200

2008-05-01 18:47:38 Stefan Sperling napisał(a):
> On Thu, May 01, 2008 at 05:35:50PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > 2008-05-01 14:19:38 Stefan Sperling napisał(a):
> > > On Wed, Apr 30, 2008 at 08:52:21PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > > > What is the behavior wrt empty passwords?
> > > > IMHO they should be stored plaintextly without prompting.
> > >
> > > Why?
> > >
> > > We want to make people aware when Subversion can only store
> > > passwords in plaintext in their setup, regardless of the strength
> > > of their password. Having a special case like this does not help
> > > us achieve that goal.
> >
> > I think that empty passwords aren't worth prompting user.
>
> Well, it may depend on the use case. We're prompting exactly because
> we cannot be sure that saving by default will be OK in all cases
> where people might end up using an empty password.
>
> > I suggest this behavior only for 'store-plaintext-passwords = (yes|ask)'.
>
> I think we should not be using 'yes' when the user wants 'ask',
> no matter what the password is.
>
> > > Also, an "empty" password arguably means the password is
> > > 'hit the enter key', so it can still be considered a password,
> > > albeit a ridiculously weak one.
> >
> > I mean that empty passwords are sometimes used for anonymous users
> > with read-only access
>
> Yes, I guessed this was what you meant.
>
> > , so there's no security risk here.
>
> Keep in mind that we're not handling the security risk of storing
> plaintext passwords in any way. We're just trying to make sure people
> know what will happen when their password gets saved. Judging
> the security issues involved is up to the user, not us.
>
> I understand that you mean to be helpful to users in a very
> common use case (anonymous checkout), but I don't think we
> should make any exceptions like this right now. There may be
> other cases where silently saving an empty password (which
> is easily recognisable as such in the plaintext auth cache) may
> make someone really, really unhappy.
>
> That said, if many users (or many developers) say they want this,
> no problem, we can do it. But I would like to see our users' reactions
> to the prompt and get some feedback before deciding whether we should
> make an exception for empty passwords.

OK. It can be changed later on trunk.

> Because what we want to achieve
> here is giving our users a choice, and we don't want to be deciding
> things about the delicate 'plaintext password storing' issue for them,
> like we used to.
>
> (Since we probably can't make everyone happy either way, we could
> also add yet another option: "store-empty-passwords-in-plaintext" ;)

Additional option isn't necessary.

-- 
Arfrever Frehtes Taifersar Arahesis

Received on 2008-05-01 20:22:50 CEST

This is an archived mail posted to the Subversion Dev mailing list.