Magnus Hagander wrote:
Are we sure we want to do this? (Sorry, didn't notice this thread last
time)
The default on *all* windows versions since NT 4.0 (which is when the
directory we use was added) will put this file in a protected directory.
Is there truly such a thing on a windows PC? All it takes is one Virus
or Malware to gain access to the PC and anything stored in the
user profile is easy picking.
The virus and malware creators may not know about the pg_pass file now,
but they will eventually.
What about having a wallet type system where the user can create a pass
phrase to protect a generated key that would get
loaded once per session. That is how KDE allows users to store passwords.
I work at a large financial institution and if the auditors knew about
the pg_pass being plain text, they would pretty much ban
it's use.
Anytime a password is sitting on a non encrypted file system, regardless
of it's permissions it is potentially at risk.
--
Tony