Re: Password security

[Gunnar Hjalmarsson <mailbox@gunnar.cc>]

Mellissa Williams wrote:
> 
> I think one of the most secure options I can think of is to make
> the scripts write a new separate file including all the passwords,
> into a location/name that the ringadmin provides.
> 
> Another Idea I had was to encrypt the passwords (a la passwd).
> 
> Yet another idea is to have a PIN/password combo, the password is
> stored in the file, the pin is not, and must be memorized.
Thanks for your suggestions, Mellissa.
When I wrote the script, my aim was to achieve a reasonable security
level, taking into consideration the kind of information we are talking
about here. I mean, the risk that a Ringlink script would be targeted by
a hacker should be negligible.
I missed the fact that other servers could be differently set-up
compared to my own. But if that is fixed īn one way or the other,
Ringlink is safe enough in my opinion.
Your suggestions would increase the security level, but they would mean
quite some work with redsigning the script in this respect. In my
opinion this increase of the security level would not be necessary, and
consequently would not justify the extra work that it would cause.
However, if someone comes up with other obvious security holes, or it
proves not to be possible to make the critical files unreadable from the
web on all servers, I might change my mind.
/ Gunnar