[Cosmo-dev] adding password retrieval to cmp
Brian Moseley
bcm at osafoundation.org
Fri Aug 18 17:05:50 PDT 2006
On 8/18/06, Matthew Eernisse <mde at osafoundation.org> wrote:
> If the patch doesn't do that, then what were the stated security
> objections? (I don't know how you're encrypting passwords, but now that
> I think about it, I should have assumed it's one-way anyhow.) I'd be
> more concerned as an end user about the unencrypted data like my e-mail
> address or other personal stuff.
well, you could imagine somebody extracting an encrypted password and
then using a dictionary attack to try to find a match. of course,
they'd have to be an admin (or find a bug in our authn/authz
mechanisms) to get the password in the first place, so they would have
access to the user's data anyway. so maybe it's an non-issue.
More information about the cosmo-dev
mailing list