Re: wrong issue

From: Dale McCoy <dalestan_at_gmail.com>
Date: Wed, 13 Apr 2011 21:31:16 -0400

> Yes, if a breach occurs while the passwords are still present, the
> cracker will be able to get them. However, if the breach occurs after
> the passwords have expired and been overwritten, then the cracker can
> not get them. The shorter the expiration time, the smaller the window
> of vulnerability.

There are two separate ostensible "security issues" that are being
conflated here:

The window of vulnerability for the OP's "security issue" (reading the
memory of a foreign process) is "The time during which TortoiseSVN is
actively performing actions that require authentication."

The security issue that makes it easy to extract a user's password
only works if the user first tells TortoiseSVN "Save my password so I
never have to type it again with this login on this computer."

Which are you complaining about again?

Dale McCoy

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719627

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-14 03:31:20 CEST

This message: [ Message body ]
Next message: Kevin Radke: "Re: Credentials held unencrypted in memory during runtime"
Previous message: Eric Hirst: "RE: Credentials held unencrypted in memory during runtime"
In reply to: Ron Wilson: "wrong issue"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]