On Dec 3, 2007 4:59 PM, Charles E. Campbell, Jr. wrote: > > Matt Wozniski wrote: > > >On Dec 3, 2007 2:05 PM, Charles E. Campbell, Jr. wrote: > > > >>Assuming that I have an encrypt/decrypt function pair, the pid could be > >>used as a single-session p/w that would be transparent to the user. I > >>don't see any point in saving a ftp password but requiring the user to > >>enter some other password to make the ftp password available. Such > >>things as recording the hundredth of a second that vim/gvim started > >>along with the pid would act as an improved session-only password. > > > >Sure, I understand that you could use it as a key to encrypt the > >password, but what I'm really asking is what you gain from that. Is it > >really more secure to have an encrypted string and its decryption key > >stored in memory than it is to have an unencrypted string in memory? > >Particularly on an open-source project where anyone who wants to can > >view your source code? > > Where's the part where I said I'd store the session pid in some > variable? Something like getpid() would be called during > encrypt/decrypt, not stored.
My point was that a would-be cracker would have access to both the encryption key and the encrypted text. Using the pid as the key is not made more secure by not storing it, since that cracker would also have access to the hypothetical getpid() function; it just saves him the trouble of accessing a variable to get the key. ~Matt --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
