On Wed, Sep 11, 2024 at 10:47 AM Chris Green <[email protected]> wrote:
> On Wed, Sep 11, 2024 at 10:06:05AM -0500, R Losey wrote: > > On Wed, Sep 11, 2024 at 9:56 AM Fred Bone <[email protected]> wrote: > > > > > On 10 September 2024 at 14:09, R Losey said: > > > > > > > Well, but think about it... after the password is entered, THEN > what? The > > > > "correct" password would have to be stored somewhere so that GnuCash > > > could > > > > verify what is entered is correct, and clearly saving the password in > > > > clear text is not secure. Because the software is open source, anyone > > > > could read the steps taken to secure the password, and that would be > a > > > > huge help in breaking the password. > > > > > > Clearly you don't know anything about how password protected files are > > > handled. > > > > > > The password is NOT stored anywhere. It doesn't need to be. So there is > > > no code taking "steps to secure the password". > > > > > > The program doesn't need to "verify what is entered is correct", beyond > > > attempting to use it to decrypt the data. That either works or it > > > doesn't. > > > > > > > It's certainly possible that Im am lacking knowledge... I was thinking of > > the *nix passwords which are (used to be) stored in encrypted form in the > > /etc/passwd file. > > > No, they're not. What's stored is the result of applying an algorithm > to the password you supply. So, you enter a password, the password is > 'scaarmbled' by the password checking software and, if the resulting > scramble matches your entry in the password file (actually the shadow > file nowadays) you can log in. > > In reality it's even a bit more complicated than this, but anyway the > password isn't stored in any way. > Your last sentence gave me a laugh; it directly contradicts your previous paragraph: "What's stored is the result of applying an algorithm to the password you supply" -- so the password IS stored in some encrypted fashion -- at the very least something related to the password is indeed stored. I've often thought that they may use the password itself as the encryption hash to encrypt the password, and that would make it (I think) pretty hard to break, even knowing the algorithm. -- _________________________________ Richard Losey [email protected] Micah 6:8 _______________________________________________ gnucash-user mailing list [email protected] To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
