[Melbourne-pm] Obfuscating passwords in configurations
Shlomi Fish
shlomif at iglu.org.il
Thu Dec 2 02:40:32 PST 2010
On Wednesday 01 December 2010 23:14:45 Scott Penrose wrote:
> On 02/12/2010, at 1:50 AM, Shlomi Fish wrote:
> > I didn't do it, because this doesn't actually add protection. Anyone
> > who's acquired permissions to read your rc file will be able to run
> > fetchmail as you anyway—and if it's your password they're after, they'd
> > be able to rip the necessary decoder out of the fetchmail code itself to
> > get it.
>
> This is 100% correct, and yet completely wrong.
>
> Some real world examples are:
>
> * Fake or even Real Video cameras. They act as a deterrent
> * Deadlocks on your house, when you have windows
>
> The down side of encrypting (and really, it is just obfuscating in this
> case) your password is you may get a false sense of security, e.g. you
> might post it on the net in a forum an example of config.
>
> The upside of encrypting (obfuscating) is that it protects against
> accidental finding.
>
> Subversion, GIT and many other command line tools in unix obfuscate their
> passwords. These are mature projects who have thought about the issues.
> (mind you they have also covered the security too, by recommending things
> like SSH keys).
How do you know that they do that? Please cite it. I've looked into the
contents of ~/.subversion/auth/svn.simple/ and the passwords are stored there
in plaintext, completely unencrypted. Note that Subversion has an option to
use the KDE or GNOME password managers, which is more secure (but possibly
less convenient).
Regards,
Shlomi Fish
--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
What does "Zionism" mean? - http://shlom.in/def-zionism
<rindolf> She's a hot chick. But she smokes.
<go|dfish> She can smoke as long as she's smokin'.
Please reply to list if it's a mailing list post - http://shlom.in/reply .
More information about the Melbourne-pm
mailing list