Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain tex

gcmd-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain tex

From:	Uwe Scholz
Subject:	Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections
Date:	Tue, 3 Mar 2015 22:02:08 +0100
User-agent:	Mutt/1.5.23 (2014-03-12)

Hi Michael,

Just to be sure, I don't know if this came out clearly on my last mail:
I'm not willing to take the responsibility of users password storage on
a software which is maintained by me.

Michael <address@hidden> schrieb am [Mon, 02.03.2015 02:24]:
> Hmmm....i think there are secure local ways, but it's probably not
> worth the effort to maintain them. Anything 'secure' has to be kept
> up-to-date and be watched for exploits. It's more effective to leave
> this routine to the keyring crews.

Do you really think there are secure ways that don't rely on external
libraries? I can hardly imagine that a developer without deep knowledge
in encryption and memory handling can handle something like this.

> There's one argument for local storage, though: Keyring is in focus of
> potential hackers, while a single file manager (and not too popular, i
> guess) is not.

>From the developers point of view there is never a good argument for
password storage on a disk, despite user convenience. The past gave us
enough examples. Even when not storing the password physically on the
disk can be problematic: You might have heard about the latest bug in
putty? (*)

Actually I'm wondering why Piotr did not remove the plain text storage
of an ssh password earlier. This is really a scary bug. Think of a
company using Gnome Commander... if I was an admin I would definitely
prohibit the use of a software in which passwords are stored in plain
text.

> [...]
> 
> Instead of improving the security of some module of gcmd, anybody
> concerned should rather support improving keyring applications.

Exactly. This is also my point. 

> ps. Ah, i forgot to say, i seem to remember there are more keyring
> apps out (like kwallet) and i hope they meanwhile talk a common
> protocol, so that a specific gnome binding is not necessary ? i.e.,
> make the keyring application configurable....and even if one freakish
> users favorite no-works then at least gcmd is prepared for the day
> when it will do ...

Thanks for these tips, I will keep them in mind. 

(*)
http://www.heise.de/newsticker/meldung/SSH-Client-Putty-Fast-vergessene-Sicherheitsluecke-geschlossen-2563230.html

[Prev in Thread]

Current Thread

[Next in Thread]

[gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections, Uwe Scholz, 2015/03/01
- Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections, Michael, 2015/03/01
  - Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections, Uwe Scholz <=

Prev by Date: Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections
Next by Date: [gcmd-dev] Problem with the icon set of Gnome Commander (possible bug?)
Previous by thread: Re: [gcmd-dev] Getting rid of bug 653573 - Passwords stored in plain text in ./gnome-commander/connections
Next by thread: [gcmd-dev] Problem with the icon set of Gnome Commander (possible bug?)
Index(es):
- Date
- Thread