[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security flaw: subversion stores passwords by default / Proposal

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Sat, 22 Mar 2008 18:57:43 -0400

"Deven T. Corzine" <deven_at_ties.org> writes:
> However, once you've chosen to store passwords, they should at least
> be obscured from casual viewing. Even if it's just Base64-encoded,
> that's better than plaintext passwords. At least it requires a
> positive step to decode the password, which won't happen by accident.
> An administrator could stumble across the plaintext password by
> accident, compromising the password unintentionally. No, it's no more
> secure from an attacker, but it's still an improvement.

Actually, personally I agree with that, but IIRC I lost that argument
years ago (and don't feel strongly about it).

CVS does trivially scramble passwords in just the way you describe, for
the reason you give.

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-22 23:58:34 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.