Suggestion: Don't save passwords in plaintext

[kiprasmel]

Hello, glad that this extension exists - thank you for your work!

I'd like to suggest something:

The settings.json file should probably not be treated as a secure place to store passwords & other confidential information.

Extensions like https://github.com/shanalikhan/code-settings-sync allow you to backup your settings and the settings.json file is obviously included. And while the backup gist is private by default, you can set it to public to allow other people using it.

Thus if someone makes it public, they could leak their passwords.

I don't know where'd you store the passwords though - it'd probably be best not to store them anywhere & just use ssh keys:D

(this is just an fyi, I'm not working w/ security etc)

[thewebsitetherapist]

Personally I see the plaintext option as a lazy option for testing etc, and the private key file as the option for storing a key in a file, eg ~/.ssh/id_rsa so you don't need the password or any plaintext options. Does this work for you?

[kiprasmel]

@heartfelttech Yeah I myself use ssh keys. I was thinking about new users who might not be aware of ssh keys & might store their passwords in plaintext.

I suppose we can either add some note in the documentation and/or close this.

[thingalon]

Thanks for the feedback, @sarpik! I've gone and added a warning to the README.md, and removed the examples that show passwords in plaintext. I agree that it is not something we should encourage.

password and passphrase fields now have a note on them that storing passwords in plaintext is a bad idea. :)