On Wed, Apr 22, 2015 at 10:08 AM, Tom Hacohen <[email protected]> wrote: > On 22/04/15 09:04, Carsten Haitzler wrote: >> raster pushed a commit to branch master. >> >> http://git.enlightenment.org/core/enlightenment.git/commit/?id=40a91376c6024b08e99981a61376be3927aa9c61 >> >> commit 40a91376c6024b08e99981a61376be3927aa9c61 >> Author: Carsten Haitzler (Rasterman) <[email protected]> >> Date: Wed Apr 22 17:03:44 2015 +0900 >> >> e screenlock config diloag - note insecureness for personal pw/pin >> >> these store pin/pw in your user config files - it may be primitively >> hashed to obscure it, but it's there. it never pretended to have >> secure storage and even saved cleartext until e19. make sure people >> are aware > > It's really not too different from cleartext. Well actually it is, > because the hash is so shitty and only 32bit, it's more likely you'll > get a different password to work than the real one, so maybe revealing > the original password won't be easy with so many passwords working. :)
We can easily improve security with 1.14 forward by using a SHA1 + salt stored in a ciphered EET section using the user password for that purpose. The purpose of storing inside the section SHA1+salt and not directly a boolean or something trivial is to add more time checking if the password was correct as EET can't know if it was able to decipher a ciphered section correctly. It is the data inside the section that tell if the data are cleanly read or not. That would make it as secure as any other password storage out there I guess. -- Cedric BAIL ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ enlightenment-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
