Hi Alex and Edwin, >>> This is a big flaw. =A0You should not be able ever to find out his >>> password. >> >> Why not? >> >> Nobody could stop me anyway. I could trace the program during execution, >> for example, to get the passwords. > > oh yes! :D
So you don't lock your house because it's impossible to make it thieve-proof? Or, why do you lock your house when it so easy to break in anyway? Your lock most likely works because there is so little incentive to get in. Some time ago I saw a BBC documentary about how rich people live in Moscow. One of their main criteria was how many guards with Kalashnikov the place had:-o Maybe "ever" was too strong word I used because it's impossible as you quickly pointed out. However, securing login is not black and white but rather many shades of gray. If you use plain text passwords and somebody gets hold of the data, he has all those passwords available for all users instantly. If you don't store the passwords, you limit significantly the places and moments where the passwords can leak. Also, not all of them leak at the same time together instantly but only one or a few might get compromised (e.g. if you trace the program during execution in order to spy on somebody's password). In other words, there is a huge difference between getting all passwords in one go the moment I get access to the machine, and between getting passwords gradually as people log in while I'm having access to the machine. And it's rather easy to fix. I personally have bad experience with people storing passwords in plain text. Technically it might not be an issue (after all I think the wiki doesn't need passwords at all) but it is certainly one of those warning signs telling me "get ready for trouble with these guys" (http://i.imgur.com/xZW77.png ). And this issue pops up all the time, e.g. today on reddit http://www.reddit.com/r/programming/comments/dwkzr/is_it_industry_common_practice_to_send_plaintext/ Cheers, Tomas -- UNSUBSCRIBE: mailto:picol...@software-lab.de?subject=unsubscribe
