I didn't see an option, perhaps it's not even on the list of requests... but when I look at the 'user' table, the user's password is stored in cleartext.
Having my fossil file on a shared server, this makes me a bit nervous. Anyone who has access to that file can read all the user passwords. It would be trivial to change the password stored to sha1(login+pw). In that case it would also be difficult to hack, since different users with the same password would have wildly different values saved in the user table. -- Sending me something private? Use my GPG public key: AD29415D
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
