Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
I
I
IgorV2013-11-12 22:33:04
linux
IgorV, 2013-11-12 22:33:04

My WebMoney Linux stores the password in clear text

This is not a question, but a warning.
I recently installed "My WebMoney" under Linux and found that the password for accessing the program is stored in clear text in "~/.weblaf/wmd.security.xml". And I set the password the same as for accessing the account (for convenience) and I felt a little uncomfortable from such an opening.
Well, since in Q / A, the question is: is this really considered normal and is it supposed to be?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
N
nochkin, 2013-11-12
@nochkin

Perhaps, there is a calculation that only the owner of the account should have access rights to the file (for example, rights 0400 or 0600).
Many systems store passwords this way. After all, the file cannot be read from the outside by standard methods to someone else.
Otherwise, even an encrypted password can be decrypted, because the key will need to be stored on the same machine in the webmoney binary. That is, the key can potentially be extracted, and then the encryption of the password will not make a big difference.

Report
P
Puma Thailand, 2013-11-13
@opium

it is not considered normal to set the same passwords, look for the problem in your head.

Report
M
merlin-vrn, 2013-11-13
@merlin-vrn

How do you imagine autologin if the password is stored encrypted on the computer? Well, that is, either you, like in ssh, decrypt it yourself every time (and why then save it?), Or - it is stored in an open (well, or reversibly encrypted) form. In the second case, you can not decrypt it, copy the profile to another computer, and it will pick up.
An example for you is Skype. I don’t know how he stores encrypted passwords there, but I take a profile, copy it - it works. This means that Skype is able to decrypt and use the saved password without my participation, which means that the password can also be stolen from it. And from firefox you can. And in general, any program with a checkmark “remember password” works like this.

Report
R
rozhik, 2013-11-13
@rozhik

No, it's not normal. Security at the file access level is not enough. After all, there are enough holes in the software that a person may use (only firefox + flash has more than a dozen exploits to get a local file over the past couple of years)
SSH, for example, can encrypt keys with a phrase. Some clients store a password hash and a token or authorization key from the server (so as not to force the user to enter a password). Or other approaches.

Report
I
IgorV, 2013-11-13
@IgorV

You understood me wrong. This password is not for autologin, but for starting the program. I just made it the same as for the webmoney login, so as not to remember another password. And I thought that in this case it would simply store the hash of the password.

Similar questions
J
JackShcherbakov2017-12-07 00:47:10
The PHP encoding in openserver has failed, what should I do? 3Reply
P
Pavel Emelyanov2018-01-16 09:11:39
Why does the extensions_additional.conf file change after entering the web interface? 3Reply
W
WTFAYD2017-09-16 14:54:18
How to track the process of deleting files from a flash drive? 2Reply
G
Grigory Pestov2017-09-17 19:27:01
Is it possible to completely hide one physical HDD from Ubuntu 16.04 LTS? 3Reply
Z
zyrik2017-09-18 10:26:17
Best practices for setting up a sensitive data lab? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question