Re: [fossil-users] Passwords stored in cleartext in 'user' table

Hi, Do the same thing as at present, in that the client sends the password hashed and not in cleartext. The server takes that hashed value and the user name, hashes again (perhaps with a different algorithm) and compares to what it has stored. Neither the original password (stored in the

Re: [fossil-users] Passwords stored in cleartext in 'user' table

On Jan 9, 2010, at 5:24 PM, D. Richard Hipp wrote: OK. Beginning with http://www.fossil-scm.org/fossil/ci/cfe33dcf92 Fossil will store passwords on servers as either cleartext or as a SHA1 hash of the password. ... I have tagged this change experimental for now. I'm planning to make

[fossil-users] How is user table backed up in self-hosting repository?

Whatever I do, a 'fossil sync -R repo' does not copy over the user passwords. So doing a 'failover' scenario where I have one repo backing up another, is only correct as far as data goes, but users will be unable to log-in. I must be missing something here... -- For privacy, my GPG key

Re: [fossil-users] Passwords stored in cleartext in 'user' table

I agree with your conclusions. for my part I'm just glad that my password is not stored in plain text in the fossil database - especially when I don't control the repository. I know that the transmissions are no more secure than before. many people, for better or worse, reuse usernames and

Re: [fossil-users] Passwords stored in cleartext in 'user' table

The most common approaches I know of: Unix-style password file: store salt || H(salt || password) The 'salt' value is a random string used to make attacks that precompute the hash values of common passwords harder. The downside is that the client has to send the password in plaintext.