[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] feature request (hidden and encrypted passwords/pre-sharde keys)
 Date:  Thu, 21 Apr 2005 14:52:22 -0400
On 4/21/05, Christoph hanle <christoph dot hanle at leinpfad dot de> wrote:
> Neil A. Hillard schrieb:
> >>i think it is no good solution, that in the webgui and the config.xml
> >>the passwords for ppoe etc. and the pre-shared-key are always in
> >>cleartype visible; the admin password is hidden or encrypted
> >>respectively. Imho is this a big problem with the security.
> > Try:
> >
> > http://www.m0n0.ch/wall/docbook/faq-plaintextpass.html
> >
> 
> Thx, i have overlooked this part, but i think it might be possible to
> encrypt/decrypt these passwords for example against the admin-password.
> And in the web-gui you can use the "hidden" tag.
> but i still think, this is a big security hole, that should be fixed.

It can't be fixed.  Any "fix" would be nothing more than obfuscation. 
Creating a false sense of security is worse than making it clear there
should be *no* sense of security.

That FAQ explains why very well.  

-Chris