FESCO request to revert password confirmation change in F22
Nico Kadel-Garcia
nkadel at gmail.com
Sun Mar 15 16:57:33 UTC 2015
On Mon, Mar 9, 2015 at 6:53 PM, Björn Persson <Bjorn at rombobjörn.se> wrote:
> Nico Kadel-Garcia wrote:
>> I'm the guy that brought up the XKCD comic.
>
> I did it first. ;-)
>
>> The classic
>> storage is the Post-it note on the secretary's desk, but I see a lot
>> of people who should know better writing them into source control
>> systems that everyone in the company can read.
>
> Or even source control systems that everyone in the *world* can read:
>
> http://arstechnica.com/security/2015/03/ubers-epic-db-blunder-is-hardly-an-exception-github-is-awash-in-passwords/
>
> Björn Persson
And Subversion, storing its own plaintext passwords by default in
$HOME/.subverson/ for almost 15 years now. And the chef 'nrpe' and
'mysql' cookbooks, storing MySQL and other database passwords in plain
text for system configuration, and the 'users' cookbook storing
private SSH keys in unencrypted data bags with no hooks to encrypt the
stored private keys.
Yeah, the list goes on, and on, and on for tools that store
unprotected credentials.
More information about the devel
mailing list