[croquet] MC passwords in images?

Bert Freudenberg bert at impara.de
Fri Nov 4 19:27:41 UTC 2005


Am 04.11.2005 um 20:08 schrieb Andreas Raab:

> Hi Folks,
>
> I just noticed that I handed out a whole bunch of images with plain- 
> text passwords for various of the more sensitive repositories,  
> thanks a lot (and no, if you have one of those it won't work any  
> longer - I changed them). So for those of you who use MC and at  
> times pass images around it is probably useful to check who's been  
> in those repositories recently.

Since Monticello-bf.266, passwords were removed at image startup. It  
does not remove the user name, instead, you are asked for the  
password if a user name is set but no password.

Because people did not like having to re-enter the password after  
each image start, Monticello-bf.268 changed that to reset the  
passwords only if the author initials were reset, too.

> Oh, and is anyone out there interested in implementing a password  
> manager that stores passwords *outside* of an image in a reasonably  
> secure location?

I did, a while ago (in Monticello-bf.238 from 14 April 2005):

userAndPasswordFromSettingsDo: aBlock
	"The mcSettings file in ExternalSettings preferenceDirectory should  
contain entries for each account:
	
		account1: *myhost.mydomain* user:password
		account2: *otherhost.mydomain/somerep* dXNlcjpwYXNzd29yZA==

	That is it must start with 'account', followed by anything to  
distinguish accounts, and a colon. Then comes a match expression for  
the repository url, and after a space the user:password string.
	
	To not have the clear text password on your disc, you can base64  
encode it:
			(Base64MimeConverter mimeEncode: 'user:password' readStream) contents
	"


- Bert -




More information about the Squeak-dev mailing list