[croquet] MC passwords in images?
Bert Freudenberg
bert at impara.de
Fri Nov 4 19:27:41 UTC 2005
Am 04.11.2005 um 20:08 schrieb Andreas Raab:
> Hi Folks,
>
> I just noticed that I handed out a whole bunch of images with plain-
> text passwords for various of the more sensitive repositories,
> thanks a lot (and no, if you have one of those it won't work any
> longer - I changed them). So for those of you who use MC and at
> times pass images around it is probably useful to check who's been
> in those repositories recently.
Since Monticello-bf.266, passwords were removed at image startup. It
does not remove the user name, instead, you are asked for the
password if a user name is set but no password.
Because people did not like having to re-enter the password after
each image start, Monticello-bf.268 changed that to reset the
passwords only if the author initials were reset, too.
> Oh, and is anyone out there interested in implementing a password
> manager that stores passwords *outside* of an image in a reasonably
> secure location?
I did, a while ago (in Monticello-bf.238 from 14 April 2005):
userAndPasswordFromSettingsDo: aBlock
"The mcSettings file in ExternalSettings preferenceDirectory should
contain entries for each account:
account1: *myhost.mydomain* user:password
account2: *otherhost.mydomain/somerep* dXNlcjpwYXNzd29yZA==
That is it must start with 'account', followed by anything to
distinguish accounts, and a colon. Then comes a match expression for
the repository url, and after a space the user:password string.
To not have the clear text password on your disc, you can base64
encode it:
(Base64MimeConverter mimeEncode: 'user:password' readStream) contents
"
- Bert -
More information about the Squeak-dev
mailing list
|