On Mon, Apr 18, 2011 at 9:47 AM, Ross Drummond <[email protected]> wrote: > Warning: The netrc file stores your login and password in plain text, so you > need to be comfortable with the lack of security in this file.
There is no "lack of security" in using a file to store plain text passwords. The file is as safe as the file permissions make it -- so ensure that it is readable only by your user. Some people believe that you can store "encrypted" passwords more securely; this is true as long as the computer you store them on isn't also expected to *use* the files -- which in this case it would be. The program using the files would have to have the ability to decrypt the passwords; and it would be running as your user, which means that you (or your attacker) have the ability to find out what the decryption key was ... Eric Raymond, author of Fetchmail, addresses this point here : http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s09.html """ Another lesson is about security by obscurity. Some fetchmail users asked me to change the software to store passwords encrypted in the rc file, so snoopers wouldn't be able to casually see them. I didn't do it, because this doesn't actually add protection. Anyone who's acquired permissions to read your rc file will be able to run fetchmail as you anyway—and if it's your password they're after, they'd be able to rip the necessary decoder out of the fetchmail code itself to get it. All .fetchmailrc password encryption would have done is give a false sense of security to people who don't think very hard. The general rule here is: 17. A security system is only as secure as its secret. Beware of pseudo-secrets. """ -jim _______________________________________________ Linux-users mailing list [email protected] http://lists.canterbury.ac.nz/mailman/listinfo/linux-users
