Open Pentaphon opened 1 year ago
I agree that passwords should not be stored or displayed in plain text. Safely storing credentials that need to be passed later requires a secret management system. This is non-trivial. To avoid reinventing the wheel, you would have to implement connectors for existing secret management systems. At some point, the user running the nzbget process needs access to the password so it can be sent to the news server. If that user gets compromised the attacker will be able to dump the secret from the vault. To avoid this you would need an additional layer that logs in to the usenet server for the nzbget user. Now you've moved the secret to a different user\process on the same OS. Is that far enough?
How far do expect to take this? Scoping is important if this issue is to ever see traction.
Know how nzbget shows your usenet account passwords inside the WebUI? It shouldn't do that anymore. It gets people's accounts stolen if their nzbget gets compromised.