Open FezVrasta opened 10 years ago
FezVrasta
commented
10 years ago an alternative (and probably safer way) would be to crypt username:password and store the crypt password in the brackets settings. Then everytime we need to use these credentials we decrypt them and use them on the fly without save them somewhere. ping @zaggino
zaggino
commented
10 years ago This is not really anything critical - as for the bower and npm, it's their bug, not ours.
Hiding the passwords in Brackets settings? I'd say yes as an enhancement, but not as a critical thing really.
FezVrasta
commented
10 years ago actually git is not tought as a password storage, we are "hacking" it, so I don't think it's a fault of bower or of npm
zaggino
commented
10 years ago agree to disagree
CoenraadS
commented
9 years ago Not sure I agree with this. Storing an encryption key is just 1 extra step, it doesn't actually provide better security. If someone was to code a stealer specifically aimed at brackets/git, it would just find the key and decrypt the passwords anyway. Security through obscurity isn't a good idea.
I believe this is a good reference: https://developer.pidgin.im/wiki/PlainTextPasswords
FezVrasta
commented
9 years ago @CoenraadS I'm not talking about preventing hacks "client side". I'm trying to improve the security when you use tools like Bower or NPM that could expose your password accidentally.
We save passwords in clear text inside the URL of the repository.
If you use some tool like "bower init" or "npm init" they will propose as default git repository the url with the password.
Would be REALLY useful add a check during the commit dialog to check if the password is somewhere written inside the DIFF and, if so, warn the user about this problem.