»Q« wrote:
In<news:[email protected]>,
Rufus<[email protected]> wrote:
»Q« wrote:
Erasing all the users' passwords when they want to stop using a
master password wouldn't protect them from anything in any way --
it would just force them to re-type all their passwords into
SeaMonkey again.
It would reset the encryption engine - and yes, thus they would have
to retype them again. I've got no problem with that.
What does "reset the encryption engine" mean? And given that the user
won't be using the encryption feature whether he is forced to retype
the passwords or not, what difference could it make?
The Master Password hopefully acts as a key (or a key seed) to encrypt
the contents of the stored passwords using whatever algorithm is
employed to encrypt the data - that algorithm is called an "encryption
engine". I would have thought (and expected) that encrypted or not,
resetting the key would very straightforwardly reset the entire file
structure/contents - encryption selected by the user or not (which used
to be a user option, but now isn't in SM 2.x.x).
New Master = new key for the encryption. One would think that there
should be no difference between Reset Master Password and entering a
null string - which is essentially the default installation.
In order to work the way it does, it has to be deliberately coded to
branch on a null string...which is something I wouldn't have expected
the coders to have done, give how "security conscious" they seem to be
in warning people to move on from 1.1.19 for security reasons. Anyway,
that's what I would have expected...reset or kill the key, kill the
contents. That's the way it's supposed to work.
Given that with SM 2.0 the statement about encryption was entirely
removed from the user dialog, that the user option to employ encryption
or not has been removed, and now this behavior for entering a null
Master, I'm again left questioning if SM encrypts passwords at
all...which was a point I asked for detail and clarification on when I
first tried SM 2.0. Very sloppy...information-wise, if not
implementation-wise as well.
I've got no problem with re-entering my data if it means I'm using a
truly secure implementation.
--
- Rufus
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
