![]()
#Security obscurity passwordprovide a way for users that do not care about security and prefer simplicity, by storing by default the password as a cleartext.So for me, the best way to design tools that need to store password is: even if you need to type the PGP passphrase at the beginning, you can use the same PGP key for all the applications that would need it, so it's not really a big deal to type once the password.it is secure as long as the attacker has no access to the (volatile) RAM memory (which is obviously the case when you do a backup).the user needs to configure the PGP tool at some point.you need to type a password the first time you need to call the PGP tool.This kind of tool asks for a master passphrase the first time you need to run PGP, and then it keeps in memory the secret, and can decrypt all the wanted files as long as the computer is on. The idea is easy: encrypt the password using a tool like PGP. However, I would like to point out that there is another solution, not based on obscurity, that can, more or less, achieve the wanted goal. If they refuse to encrypt the password, you could post a followup feature request asking for a way to use the tool without storing the password (on disk).Īs everyone here, I fully agree that obscurity is not a solution to store password. Regardless, you shouldn't really lose any sleep on the comment and wait for the developers to reply officially. I suspect that's what the commenter meant. Therefore implementing password encryption on fetchmail is in fact "security through obscurity", and completely useless. The problem here is that if someone has access to the encrypted configuration file, they already have everything they need to impersonate you, as the only other thing they need is fetchmail itself. fetchmailrc encryption would do is give a false sense of security to people who don't think very hard. #Security obscurity codefetchmailrc file will be able to run fetchmail as you anyway - and if it's your password they're after, they'd be able to rip the necessary decoder out of the fetchmail code itself to get it.Īll. fetchmailrc file is because this doesn't actually add protection.Īnyone who's acquired the 0600 permissions needed to read your. The reason there's no facility to store passwords encrypted in the. These seems to be in a complete opposition, to what I've been told and learnt for years, so I would like to ask more experienced developers, who is right here and how exactly I should understand "StO"?įrom Eric Raymond's design notes on Fetchmail: #Security obscurity windows(another question is, how can I achieve this on system as unsecure as Windows itself?) ![]() He do not have to implement encryption of file with my password, it can remain there, stored unencrypted and it is I, who is responsible for assuring security by not giving anyone access to this file or by deleting it each time I stop using that soft. And looking from this point of view, I'm completely wrong and that program author is right. This statement (or refusal) is often brought as example of Security through obscurity. ![]() But then I found a Eric Raymond's Fetchmail example (in " The Cathedral and the Bazaar"), who refused to implement config file encryption (passwords are stored in config file for Fetchmail), claiming that it is up to the user to assure security by not letting anyone "from the outside" access that configuration file. #Security obscurity proHow should I understand this comment? Is it pro or con my issue? At first I thought, that it supports my statement of fixing this ASAP. I haven't got any reply yet, but my issue got one comment, that includes only above mentioned link to Wikipedia's " Security through obscurity" page. ![]() I have risen a ticket asking program author to fix this ASAP. Just a string, clearly seen to everyone, that can drag&drop it to Notepad or use F3 in Total Commander. I've noticed, that it stores my password in plain-text unencrypted file. I'm using a small program (I won't name it, to not enlarge enough large shame on its author) that uses my Google account for some tasks. What exactly does " Security through obscurity" means in the context of stroing unencrypted passwords? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |