config.md does not hint at passwords being stored in clear text

maxlath / wikibase-cli

read and edit a Wikibase instance from the command line

MIT License

226 stars 24 forks source link

config.md does not hint at passwords being stored in clear text #44

Closed almereyda closed 6 years ago

almereyda commented 6 years ago

The config.md documentation document suggests users to store their account credentials for allowing write operations.

The special page write_operations.md mentions the fact of clear text storage, but far away even from README.md.

Would it be possible to provide the password as a secure hash to the remote auth endpoint instead?

maxlath commented 6 years ago

the constrain is that, unless using OAuth (for which there is a pending issue #25 and which itself will need to store secret keys) we need to be able to recover the password, would stocking the password as a hash of a symmetric algorithm (like base64) address your concern?

maxlath commented 6 years ago

the hint is there now

almereyda commented 6 years ago

No, a symmetric hash does not address the concern, but this is probably a separate issue.

Thanks for telling the users more prominently about the caveats with this. Closing in favour of #45.