[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain tex
From: |
Uwe Scholz |
Subject: |
Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections |
Date: |
Tue, 3 Mar 2015 22:02:08 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi Michael,
Just to be sure, I don't know if this came out clearly on my last mail:
I'm not willing to take the responsibility of users password storage on
a software which is maintained by me.
Michael <address@hidden> schrieb am [Mon, 02.03.2015 02:24]:
> Hmmm....i think there are secure local ways, but it's probably not
> worth the effort to maintain them. Anything 'secure' has to be kept
> up-to-date and be watched for exploits. It's more effective to leave
> this routine to the keyring crews.
Do you really think there are secure ways that don't rely on external
libraries? I can hardly imagine that a developer without deep knowledge
in encryption and memory handling can handle something like this.
> There's one argument for local storage, though: Keyring is in focus of
> potential hackers, while a single file manager (and not too popular, i
> guess) is not.
>From the developers point of view there is never a good argument for
password storage on a disk, despite user convenience. The past gave us
enough examples. Even when not storing the password physically on the
disk can be problematic: You might have heard about the latest bug in
putty? (*)
Actually I'm wondering why Piotr did not remove the plain text storage
of an ssh password earlier. This is really a scary bug. Think of a
company using Gnome Commander... if I was an admin I would definitely
prohibit the use of a software in which passwords are stored in plain
text.
> [...]
>
> Instead of improving the security of some module of gcmd, anybody
> concerned should rather support improving keyring applications.
Exactly. This is also my point.
> ps. Ah, i forgot to say, i seem to remember there are more keyring
> apps out (like kwallet) and i hope they meanwhile talk a common
> protocol, so that a specific gnome binding is not necessary ? i.e.,
> make the keyring application configurable....and even if one freakish
> users favorite no-works then at least gcmd is prepared for the day
> when it will do ...
Thanks for these tips, I will keep them in mind.
(*)
http://www.heise.de/newsticker/meldung/SSH-Client-Putty-Fast-vergessene-Sicherheitsluecke-geschlossen-2563230.html