On 04.06.2004 14:54 -0400, Jay Custin wrote:
> Just an idle question...
> Is there a reason the PPPoE password is NOT encrypted on the webGUI
> nor in the XML configuration file? Just seems a bit odd.
MPD needs the password in plaintext form for CHAP authentication, and
therefore we cannot one-way-encrypt it (unlike the system password).
We could encrypt it somehow, of course, but anybody with a passing
understanding of PHP could just look at the m0n0wall source code and
figure out how it's done. I abhor security by obscurity, so I'd
rather have the password stored in plaintext in the config to make it
clear that it's something worth protecting than giving the user a
false impression of security.
Oh, and as for the reason why the webGUI input field is not defined
as a password field: I wanted to minimize a possible cause of failure
(mistyping the PPP password) without inconveniencing the user by
making him/her enter it twice (some DSL providers like to assign
excessively long passwords). It would protect against the "looking
over your shoulder" kind of prying eyes, but I felt that the benefits
outweigh that disadvantage.