[impdev] http://redmine.kokuaviewer.org/issues/1126 encrypting passwords.

David Seikel onefang at gmail.com
Tue Mar 6 03:52:09 PST 2012


Imprudence does not encrypt the passwords stored on disk. It's been
like that for ten months.  That problem made it into the last beta of
1.4 I think, so I'd say that people are using it by now.  I don't think
it made it into 1.3.2, as I think that feature was only introduced into
the 1.4 experimental released just before 1.3.2.

Commit a0902a050cc713f742990a09d2a610d4c135b7c7 has the section that
encrypts the password commented out as being buggy.  Now it should not
be too much drama to fix that, but there's a bigger problem to deal
with.  Fixing that will break peoples stored passwords.  Sooo, what to
do?

Both sorts of stored passwords are 32 bit hexadecimal strings.  So we
can't tell which sort of password it is and fix it on the fly.

Could we assume that "avatarpassword" is the unencrypted version, and
store a new "encryptedpassword"?  I think we can, as the bug has been
there since we started storing them.  Then we can convert it on the
fly, and store it encrypted from then on.

What do you all think?

-- 
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.imprudenceviewer.org/pipermail/impdev-imprudenceviewer.org/attachments/20120306/a989f352/attachment.pgp>


More information about the ImpDev mailing list