Not storing passwords in cleartext

John A Meinel john at arbash-meinel.com
Sun Nov 20 14:00:37 GMT 2005 

Matthieu Moy wrote:
> Robey Pointer <robey at lag.net> writes:
> 
>> I think it should track url type too.  
> 
> Then, ~/.authinfo is not the answer. The advantage of it is that it is
> user by other pieces of software (Gnus, mutt, slrn at least), so,
> reusing it means 1) less to type if you use the same
> machine/login/password and 2) only one chmod 600 not to forget.
> 
>> I'm likely to have a different password for my website and sftp,
>> even though they use the same machine name.
> 
> By curiosity, would it be for the same username?
> 
> What I've implemented in Bazaar is: if you don't provide the username,
> it is found from the machine name in ~/.authinfo. If there are several
> lines with the same machine in ~/.authinfo, then you have to provide
> the username in the URL, and it will fetch the corresponding password
> in the ~/.authinfo file.
> 
> If we decide not to use the .authinfo syntax, then we probably also
> want to keep the full URL, since you may have different WebDAV
> passwords and/or login in different directories for the same host.
> 
> How about a .ini file like
> 
> [http://host.com]
> login=<default login for host.com with http>
> password=<defauld pass for host.com with http>
> password=<password for user John> login=john
> login=<login for http://host.com/webdav/jane directory> path=webdav/jane
> password=<password for http://host.com/webdav/jane directory> path=webdav/jane
> 

What about also having the ability to do a little bit of mixing for the
password text.

For example, the ability to base64 the password. If someone wants your
password, it isn't any more secure. But it does prevent accidental
notice. Say someone is trying to help you out with your configuration,
and opens up that file. With base64, they can write it down and take it
home, and break it easily. But without it, they now have seen your password.

I ran into that in the past with database dumps. I was just inspecting
the dump to see what tables were being saved, and I found out it dumped
the password table, and all of a sudden, I saw everyone's password.

Just to say, that a little bit of extra privacy doesn't make you more
secure (against active attacks), but it does make you a little safer
(against accidents).

John
=:->


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20051120/ba159ce2/attachment.pgp

More information about the bazaar mailing list