2008-05-01 18:47:38 Stefan Sperling napisał(a):
> On Thu, May 01, 2008 at 05:35:50PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > 2008-05-01 14:19:38 Stefan Sperling napisał(a):
> > > On Wed, Apr 30, 2008 at 08:52:21PM +0200, Arfrever Frehtes Taifersar Arahesis wrote:
> > > > What is the behavior wrt empty passwords?
> > > > IMHO they should be stored plaintextly without prompting.
> > >
> > > Why?
> > >
> > > We want to make people aware when Subversion can only store
> > > passwords in plaintext in their setup, regardless of the strength
> > > of their password. Having a special case like this does not help
> > > us achieve that goal.
> > I think that empty passwords aren't worth prompting user.
> Well, it may depend on the use case. We're prompting exactly because
> we cannot be sure that saving by default will be OK in all cases
> where people might end up using an empty password.
> > I suggest this behavior only for 'store-plaintext-passwords = (yes|ask)'.
> I think we should not be using 'yes' when the user wants 'ask',
> no matter what the password is.
> > > Also, an "empty" password arguably means the password is
> > > 'hit the enter key', so it can still be considered a password,
> > > albeit a ridiculously weak one.
> > I mean that empty passwords are sometimes used for anonymous users
> > with read-only access
> Yes, I guessed this was what you meant.
> > , so there's no security risk here.
> Keep in mind that we're not handling the security risk of storing
> plaintext passwords in any way. We're just trying to make sure people
> know what will happen when their password gets saved. Judging
> the security issues involved is up to the user, not us.
> I understand that you mean to be helpful to users in a very
> common use case (anonymous checkout), but I don't think we
> should make any exceptions like this right now. There may be
> other cases where silently saving an empty password (which
> is easily recognisable as such in the plaintext auth cache) may
> make someone really, really unhappy.
> That said, if many users (or many developers) say they want this,
> no problem, we can do it. But I would like to see our users' reactions
> to the prompt and get some feedback before deciding whether we should
> make an exception for empty passwords.
OK. It can be changed later on trunk.
> Because what we want to achieve
> here is giving our users a choice, and we don't want to be deciding
> things about the delicate 'plaintext password storing' issue for them,
> like we used to.
> (Since we probably can't make everyone happy either way, we could
> also add yet another option: "store-empty-passwords-in-plaintext" ;)
Additional option isn't necessary.
Arfrever Frehtes Taifersar Arahesis
Received on 2008-05-01 20:22:50 CEST