Hi,
Do the same thing as at present, in that the client sends the password hashed
and not in cleartext.
The server takes that hashed value and the user name, hashes again (perhaps
with a different algorithm) and compares to what it has stored. Neither the
original password (stored in the
On Jan 9, 2010, at 5:24 PM, D. Richard Hipp wrote:
OK. Beginning with http://www.fossil-scm.org/fossil/ci/cfe33dcf92
Fossil will store passwords on servers as either cleartext or as a
SHA1 hash of the password. ...
I have tagged this change experimental for now. I'm planning to
make
Whatever I do, a 'fossil sync -R repo' does not copy over the user passwords.
So doing a 'failover' scenario where I have one repo backing up another, is
only correct as far as data goes, but users will be unable to log-in.
I must be missing something here...
--
For privacy, my GPG key
I agree with your conclusions. for my part I'm just glad that my
password is not stored in plain text in the fossil database -
especially when I don't control the repository. I know that the
transmissions are no more secure than before.
many people, for better or worse, reuse usernames and
The most common approaches I know of:
Unix-style password file: store salt || H(salt || password)
The 'salt' value is a random string used to make attacks that precompute
the hash values of common passwords harder. The downside is that the
client has to send the password in plaintext.
5 matches
Mail list logo