Subj : src/sbbs3/useredit.cpp To : MRO From : echicken Date : Mon Feb 27 2023 06:01 pm Re: src/sbbs3/useredit.cpp By: MRO to echicken on Mon Feb 27 2023 10:59:02 >> encrypted password in many permutations per user, or we require >> different >> passwords for different services. MR> so you think other comparable softwares do the same thing? I wasn't aware MR> of that. having passwords in multiple files in plain text seems insecure. I don't know about comparable, but I've used things that required a different password for some protocol. I had a separate POP3 password in gmail, for example. I don't know if this was for a technical reason or if it was like a revokable 'device password'. By multiple permutations I mean hash the password several different ways, storing each result (probably in the same file), but never the original. The goal being to have hashes on hand compatible with different protocols. It'd be a huge pain though, and I haven't thought it through. Might not work at all. MR> also how about just encrypting the system password? i'd be happy with that MR> atleast. sure it needs to be decrypted somehow. does that just make it not MR> worth doing? with the wrong script running, someone can get full access. MR> i've done it several times to demonstrate. The main problem is how to safely pass in the encryption key so that there's been a net improvement in security. An environment variable is probably the only real answer, and even then not fully. At least then it's passed in at runtime, not on the command line, and not necessarily in a file on disk. Depending on what you mean by running the wrong script, there isn't always much to be done to protect sysops from themselves. A JS module could do whatever it wanted to your BBS, and I don't think most sysops realize how much trust is involved there. Some shell script or batch file running as your BBS user could do a lot of damage or see a lot of data, which encryption might mitigate depending on the scenario. --- echicken electronic chicken bbs - bbs.electronicchicken.com --- þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com .