[dev] Initial configuration setup suggestion

[Jan Schneider]

Zitat von Kevin Myer <kevin_myer at iu13.org>:

>> No, we even changed them to clear text fields in the past. Password
>> fields gain you nothing in an interface that only admins have access
>> to. Even in your case, the users could simply look at the HTML source
>> code to reveal the passwords.
>
> Administrators may give trainings in a public or lab setting.  Or they may be
> sitting at their desk, with someone watching over their shoulder.  Its
> just bad
> to echo passwords to a screen in both cases.  I know they're in the
> HTML source
> - thats not ideal but there's no real way around it that I can see.  If
> someone
> can sit down at my desk and get access to the page source, I've got bigger
> problems to worry about, like what else they can access from all the other
> terminal windows I have open.

Exactly.

> It amounts to security through obscurity to obfuscate the password, but
> for the
> two situations above, its good enough, and its essential.  I hate seeing

I don't agree and it has been discussed before.

> plaintext anywhere, even in text config files (which are still observable by
> someone glancing over your shoulder if you're in over a console or terminal
> session).  Maybe the addition of a config key, that could be used to
> crypt/decrypt "sensitive" items, like passwords.  Store it in a 
> separate file,
> have a way to tag certaion config items as "sensitive, and store "sensitive"
> info in config files in a reversible hash - similar to whats done 
> with storing
> passwords in session data, using the Secret class and a cookie as the key.

You can always change the config tags to <configpassword> on your local 
install.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/