[dev] conf files and sql passwords

Eric Rostetter eric.rostetter at physics.utexas.edu
Mon Feb 3 14:00:16 PST 2003


Quoting Mike Cochrane <mike at graftonhall.co.nz>:

> I just added a configpassword type and used it in the moment conf.xml. So a
> password field is used in the config form instead of a text field. Is that
> what
> you were meaning?
> 
> - Mike :-)

It doesn't buy much.  The plain text password is still in the page (to be
sniffed on the wire, or examined with "show source" in the browser).  Any
info filled in will be stored in a temporary file on disk (in most browsers)
in the clear.  Also in memory in the clear.

So, while this isn't a bad thing, and does help to "not show it on the
screen" it is certainly no security fix.

As for my statement that it would "cause confusion" I guess I was overstating
that, and will retract it.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!


More information about the dev mailing list