[jira] Commented: (MNG-553) Secure Storage of Server Passwords

Fri, 08 Aug 2008 05:54:39 -0700 

    [ 
http://jira.codehaus.org/browse/MNG-553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=144485#action_144485
 ] 

Heinrich Nirschl commented on MNG-553:
--------------------------------------

the original report was asking for increased security. Password
obfuscation does not help very much to achieve that. Everybody with
access to the obfuscated password can easily get back the clear text.
It might make people *think* their passwords are safe, when in fact
they are not. So from security point of view obfuscation may be even
more dangerous than storing passwords in clear because then everybody
knows that the settings file has to be protected in some other way.

What about using real encryption? For example with a password based
encryption scheme where a master password that has to be entered
interactively is used to decrypt all the other passwords. This must be
an optional feature to still allow convenient working in low secure
environments and for batch usage.


> Secure Storage of Server Passwords
> ----------------------------------
>
>                 Key: MNG-553
>                 URL: http://jira.codehaus.org/browse/MNG-553
>             Project: Maven 2
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 2.0-alpha-3
>         Environment: Although it may not be relevant since this is a general 
> improvement issue, Windows XP, JDK 1.4.1.
>            Reporter: J. Michael McGarr
>            Assignee: Brett Porter
>            Priority: Critical
>             Fix For: 2.1
>
>
> This was a question pose to the Maven User's Group and it was suggested I add 
> it here.  
> It would be benefitial to provide a more secure means of storing password's 
> to the servers listed in the .m2/settings.xml.  They are currently being 
> stored as plain text and could definately be considered a security breach.  
> Numerous organizations would undoubtedly considered this an unacceptable 
> security risk, and this could prevent widespread adoption of Maven2.
> I would suggest leaving an option to encrypt the password into the settings 
> file (more secure, but not foolproof) or even requiring the password to be 
> manually provided per build (would prevent automation of builds).  I am sure 
> that there is a secure solution to this problem and it should be part of the 
> 2.0 release.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to