[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [Issue 4145] Master passphrase and encrypted credentials cache

From: Branko Čibej <brane_at_apache.org>
Date: Tue, 27 Mar 2012 03:05:12 +0200

On 26.03.2012 17:45, Greg Hudson wrote:
> On 03/26/2012 09:00 AM, C. Michael Pilato wrote:
>> The on-disk cache will contain everything it does today where
>> plaintext caching is enabled, save that the password won't be
>> plaintext, and there will be a bit of known encrypted text (for
>> passphrase validation).
> Is it important to be able to locally validate the passphrase? That
> property intrinsically enables offline dictionary attacks.

I was going to say the same. When I read "known encrypted text" my hair
stood on end. :)

You don't need passphrase validation. If the passphase is wrong, then
the recovered password will be wrong, too. It is bad practice to tell
people that they used the wrong passphrase, and it's even better if you
don't even know that it's wrong.

-- Brane
Received on 2012-03-27 03:05:21 CEST

This is an archived mail posted to the Subversion Dev mailing list.