[Melbourne-pm] Obfuscating passwords in configurations

Scott Penrose scottp at dd.com.au
Wed Dec 1 13:14:45 PST 2010

On 02/12/2010, at 1:50 AM, Shlomi Fish wrote:
> I didn't do it, because this doesn't actually add protection. Anyone who's 
> acquired permissions to read your rc file will be able to run fetchmail as you 
> anyway—and if it's your password they're after, they'd be able to rip the 
> necessary decoder out of the fetchmail code itself to get it.

This is 100% correct, and yet completely wrong.

Some real world examples are:

* Fake or even Real Video cameras. They act as a deterrent
* Deadlocks on your house, when you have windows

The down side of encrypting (and really, it is just obfuscating in this case) your password is you may get a false sense of security, e.g. you might post it on the net in a forum an example of config.

The upside of encrypting (obfuscating) is that it protects against accidental finding.

Subversion, GIT and many other command line tools in unix obfuscate their passwords. These are mature projects who have thought about the issues. (mind you they have also covered the security too, by recommending things like SSH keys).

If you were running a simple disk scan, or helping someone manage disk issue/disk space, you won't be accidentally giving away your passwords.

So yes... think... NO EXTRA SECURITY.
Just Obfuscation. But even obfuscation has its place.


More information about the Melbourne-pm mailing list