On Wed, 22 Apr 2015 11:12:36 +0200 Cedric BAIL <[email protected]> said:
> On Wed, Apr 22, 2015 at 10:08 AM, Tom Hacohen <[email protected]> wrote: > > On 22/04/15 09:04, Carsten Haitzler wrote: > >> raster pushed a commit to branch master. > >> > >> http://git.enlightenment.org/core/enlightenment.git/commit/?id=40a91376c6024b08e99981a61376be3927aa9c61 > >> > >> commit 40a91376c6024b08e99981a61376be3927aa9c61 > >> Author: Carsten Haitzler (Rasterman) <[email protected]> > >> Date: Wed Apr 22 17:03:44 2015 +0900 > >> > >> e screenlock config diloag - note insecureness for personal pw/pin > >> > >> these store pin/pw in your user config files - it may be primitively > >> hashed to obscure it, but it's there. it never pretended to have > >> secure storage and even saved cleartext until e19. make sure people > >> are aware > > > > It's really not too different from cleartext. Well actually it is, > > because the hash is so shitty and only 32bit, it's more likely you'll > > get a different password to work than the real one, so maybe revealing > > the original password won't be easy with so many passwords working. :) > > We can easily improve security with 1.14 forward by using a SHA1 + > salt stored in a ciphered EET section using the user password for that > purpose. The purpose of storing inside the section SHA1+salt and not > directly a boolean or something trivial is to add more time checking > if the password was correct as EET can't know if it was able to > decipher a ciphered section correctly. It is the data inside the > section that tell if the data are cleanly read or not. That would make > it as secure as any other password storage out there I guess. i chose not to break functionality for people with a pw already set. you change the hashing and you break this and have to deal with the upgrading and resetting of pw etc. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) [email protected] ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
