Quoting Brian Jones <bkjones at gmail.com>: > Thanks, Kevin. > > Can I make a feature request to whoever sees this that is way better > at Java/C than me to at least make the stored password crypted in > something stronger than rot13? Just my opinion, but its kind of moot what format its stored in, as long as its a reversible cipher. An attacker need only see the ciphertext. Obscurity provides only one thing - it raises the bar to actually use the password, in that it requires an attacker to do a minimal amount of work to figure out what the plaintext is. If the server daemon can use a reversible process to obtain plaintext, then so can the attacker and they need to do that work first, before they can just type it in. So the note in the documentation about not using this mechanism for storing passwords on an unsecured system is definitely to be heeded. I've seen a number of debates about the merits of obscuring passwords in other contexts - in one case, the decision was apparently made that it wasn't even worth the hassle to obscure the password and it was echoed onto the screen of the browser, since in theory, only administrators could access that screen. I'd be interested to see what others think about obscuring the admin password. Kevin -- Kevin M. Myer Senior Systems Administrator Lancaster-Lebanon Intermediate Unit 13 http://www.iu13.org
