[JDEV] Account information storage, plaintext?

Mon Sep 15 08:57:18 CDT 2003

----- Original Message ----- 
From: "Robert Norris"
>> IMO it is very undesirable that passwords are stored in plaintext, IMO
>> we should get rid of that ASAP :D I know we'll have to live with
>> plaintext passwords for quite some time to come but IMO it would be a
>> Good Thing(tm) if clients/servers would default to storing hashed
>> passwords.
>
> Well, I think that plaintext passwords on the wire are more of an issue
> than plaintext passwords in the data store.
>
> Basically, until we get auth mechanisms that are secure on the wire and
> don't require plaintext passwords on the server, then stuff I write will
> be storing passwords in plaintext.

I have to admit that I have never understood this (maybe someone can
explain) - sending plain text over the wire is bad, but it's a different
issue than storing them in plain text on the server.  At least when you send
them there is a limited window for someone to sniff your password.  They
have to be either lucky, or actually trying to find out what your password
is.  With plaintext files on the server you have a 24x7 risk of someone
getting root access and just sniffing around to find out if there is
something interesting.

Maybe I'm missing something obvious, but what is the harm in
encrypting/hashing/obfuscating them?  It seems bad form to have plain text
passwords stored anywhere when there is some sort of alternative (even if
it's not a particuarly good one).  The only con I can possibly think of is
that it might give the admin a false sense of security - but I can't see
that as a major issue, and probably one that can be addressed in the
documentation.

Yes, they are not going to be 100% secure
Yes, they have to be turned back into plaintext to be sent to the remote
server
Yes, it's bad that they have to be sent over the wire in plain text
Yes, the admin SHOULD have the permissions set so no one but him/her can
read them

But on the other hand:

It's not hard to do.  (Hell, even ROT13ing them would be an improvment over
plain text)
It stops a trusted admin from accidently/in good faith reading/remembering
them
Hashed passwords are MUCH harder to remember than plaintext ones (which are
usually dictionary words)
It lessens the chance of some script kiddy getting hold of the password
file, and realising that he/she has a bunch of AIM/ICQ/MSN passwords and
going nuts with them

It's kind of like putting a lock on a glass door.  The effort to find
something to break the glass with is going to be enough to deter some
people, but it won't stop someone who is really intent on getting inside.  I
don't know of any (Windows) clients that store the password in plain text in
the registry/config file - and in theory you trust everyone who you give
access to your PC.  I would be very surprised if when I clicked "Remember
this password" in IE if I could then find it in plain text on my Win2000
machine.

Michael.