[imp] Windows XP caches login credentials.
Eric Rostetter
eric.rostetter@physics.utexas.edu
Sun, 21 Jul 2002 16:21:06 -0500
Quoting Jon Parise <jon@horde.org>:
> This is getting silly. Should we also warn the user when we see
> they're using a weak password?
IMP should not, as it does not create/set/change passwords, and should not set
or enforce policy for passwords. Horde maybe should in the admin suite if it
allows one to create/set/change passwords. My passwd module tries to allow
password checks, since it set/change passwords. Before I added that a while
back, I got 3-4 emails a week asking for it to be added. It was the #1
request for all the sork modules...
Some things (like using ssl for security) are so outside horde/imp (really
a web server issue) that they are best left for the documentation.
Others (like html in-line) are best left as a config item with some
documentation as to the security implications.
Now, if we don't do anything with autocomplete, it is an issue which may
not be known to the user/installer. As such, it may get talked up as a
security concern on mailing lists, etc. This could hurt the reputation of
Horde/IMP, which would be bad, even if it isn't really the fault of Horde/IMP
but of the client/browser.
And if the Horde project doesn't add code and configuration options (like
for the in-line html) then the only way to "fix it" is for people to change
the source code, which is never a good thing. If it is a config item, then
they just have to modify the configuration (which is a good thing). Should
it be on by defualt? I don't care. If off by default, it *must* be mentioned
in the docs/comments though as to the security issues surrounding it (like
the in-line html). Probably just some strong language comments about it
in the config file is enough, but further docs might be nice...
> I'm as security conscience as anyone else, but I think this is going a
> little bit too far.
Valid opinion (as is the opposite opinion).
> If this is a real issue for a site, it's trivial for them to patch
> their copy to include those tags.
I hate the idea of having to patch source code. Makes upgrades/updates
a nightmere... Then it becomes an FAQ... Then we have people patching
it wrong, etc. Maybe some bad press about it... Who knows...
I have no really strong opinion, but my weak opinion is I'd like to see
it added as an option. Default on or off I could care less. On would
be good for backwards compatibility. Off would be good for security.
I really don't care, as I'm going to configure it to my likes, and
so should everyone else...
> --
> Jon Parise (jon@horde.org) :: The Horde Project (http://horde.org/)
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."
--"Enterprise Strategies" columnist Tom Yager.