Hi Alex and Edwin,

>>> This is a big flaw. =A0You should not be able ever to find out his
>>> password.
>> Why not?
>> Nobody could stop me anyway. I could trace the program during execution,
>> for example, to get the passwords.
> oh yes! :D

So you don't lock your house because it's impossible to make it
thieve-proof?  Or, why do you lock your house when it so easy to break
in anyway?  Your lock most likely works because there is so little
incentive to get in.  Some time ago I saw a BBC documentary about how
rich people live in Moscow.  One of their main criteria was how many
guards with Kalashnikov the place had:-o

Maybe "ever" was too strong word I used because it's impossible as you
quickly pointed out.  However, securing login is not black and white but
rather many shades of gray.

If you use plain text passwords and somebody gets hold of the data, he
has all those passwords available for all users instantly.  If you don't
store the passwords, you limit significantly the places and moments
where the passwords can leak.  Also, not all of them leak at the same
time together instantly but only one or a few might get compromised
(e.g. if you trace the program during execution in order to spy on
somebody's password).  In other words, there is a huge difference
between getting all passwords in one go the moment I get access to the
machine, and between getting passwords gradually as people log in while
I'm having access to the machine.  And it's rather easy to fix.

I personally have bad experience with people storing passwords in plain
text.  Technically it might not be an issue (after all I think the wiki
doesn't need passwords at all) but it is certainly one of those warning
signs telling me "get ready for trouble with these guys"
(http://i.imgur.com/xZW77.png ).  And this issue pops up all the time,
e.g. today on reddit


UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe

Reply via email to