Although keeping the password plaintext in a configuration file isn't
the best way to handle a password that software needs to remember, I do
however want to point out that in order for programs to remember your
password, they *must* store the password in some sort of reverseable
obfuscation, meaning that once the obfuscation algorithm is known, the
password is no more secure no matter how obfuscated it gets, as the
software must at some point in time return it to a plaintext form in
order to make use of it.
Obfuscating stored passwords only provides a minimal level of additional
protection. If you are using a system where someone has access to your
configuration files (example: public computer lab in a library or
college campus), then do *not* store your password on that machine. If
someone has the same access to that machine as you do, consider any
information you store on it to be publicly available, and take
appropriate precautions for sensitive information.
-MightyE
Neil Dickey wrote:
>Marc Ruef <marc.ruef (at) computec (dot) ch [email concealed]> wrote:
>
>
>
>>The following paste shows the IMAP mail part of this configuration file.
>>You can see that the line 17 shows the unencrypted password
>>("MyPassword4").
>>
>>[ ... Snip ... ]
>>
>>user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
>>user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
>>
>>
>
>I notice from the line immediately following that you have the package
>remember your password. It's been my understanding that doing so is
>bad practice because that's just the sort of thing that someone probing
>your system would very likely be looking for. Certainly if you save
>your password only in your head, then whether or not the program stores
>it in the clear is a moot question. ;-)
>
>Best regards,
>
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>60115
>
>
>
the best way to handle a password that software needs to remember, I do
however want to point out that in order for programs to remember your
password, they *must* store the password in some sort of reverseable
obfuscation, meaning that once the obfuscation algorithm is known, the
password is no more secure no matter how obfuscated it gets, as the
software must at some point in time return it to a plaintext form in
order to make use of it.
Obfuscating stored passwords only provides a minimal level of additional
protection. If you are using a system where someone has access to your
configuration files (example: public computer lab in a library or
college campus), then do *not* store your password on that machine. If
someone has the same access to that machine as you do, consider any
information you store on it to be publicly available, and take
appropriate precautions for sensitive information.
-MightyE
Neil Dickey wrote:
>Marc Ruef <marc.ruef (at) computec (dot) ch [email concealed]> wrote:
>
>
>
>>The following paste shows the IMAP mail part of this configuration file.
>>You can see that the line 17 shows the unencrypted password
>>("MyPassword4").
>>
>>[ ... Snip ... ]
>>
>>user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
>>user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
>>
>>
>
>I notice from the line immediately following that you have the package
>remember your password. It's been my understanding that doing so is
>bad practice because that's just the sort of thing that someone probing
>your system would very likely be looking for. Certainly if you save
>your password only in your head, then whether or not the program stores
>it in the clear is a moot question. ;-)
>
>Best regards,
>
>Neil Dickey, Ph.D.
>Research Associate/Sysop
>Geology Department
>Northern Illinois University
>DeKalb, Illinois
>60115
>
>
>
[ reply ]