On 02/01/2008, Martin Ebourne <li...@ebourne.me.uk> wrote: > demerphq <demer...@gmail.com> wrote: > > Its not a security thing IMO. Its a peace-of-mind thing. Any syadmin > > can easily *deliberately* find out a users password in such a system, > > cleartext or base64 or rot13. But what Base64 does that rot13 barely > > does which cleartext does not is prevent sysadmins from accidentally > > seeing a bunch of passwords when they didnt intend to. Which IMO is a > > good thing. > > > > So if you arent going to store them securely storing them in a obfu > > form is at least better than storing them in cleartext. Opening a > > config file to a system where the passwords are stored in cleartext is > > quite hateful IMO. > > Depends on your point of view I guess. I would consider any password > stored unencrypted on a shared system as potentially compromised. > Hence I would only ever store passwords in that way if I didn't care > that they were compromised, so I wouldn't care if a sysadmin did read > the password. > > All other passwords are stored securely or retyped each time they are > a required (that includes several of my svn passwords). > > My rules are simple: > > - if I wouldn't tell someone the password if they asked, then > - I wouldn't trust anyone not to go and find it out, and > - it needs to be stored securely.
I agree with all of this pretty much. Yet... I really don't want to see passwords, even insecure ones, accidentally. Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"
