[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [equinox-dev] Secure Storage Javadoc Gotchas
- From: "Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
- Date: Wed, 2 Apr 2008 23:49:27 +0200
- Delivered-to: firstname.lastname@example.org
- Thread-index: AciU/w6WP1G3iYsWTemnClBGnNoSzwACykxg
- Thread-topic: [equinox-dev] Secure Storage Javadoc Gotchas
thanks for all this information. Couple of comments and
Runtime option for password: IMHO this is a no-no because simple ps -ef
on Linux will show the commandline that was used for launching Eclipse,
including the plaintext passwrd. It's one of the things I've always disliked
about the old Eclipse Keyring.
Runtime option for keyring location: I've always liked this one because
it allowed me to place my old Eclipse keyring into an NTFS encrypted folder
for added security, with rw access only for my user id - an option that helps
reducing the risk of "I copy your keyring and apply brute force attacks to it"
kinds of approaches.
Password recovery questions: When would those ever be used? Arent't
these vulnerable to Brute Force Dictionary attacks?
Trusted bundles: sounds interesting.
Password Provider Priorities: shouldn't the user be able to move up /
move down / enable / disable password providers by Preference rather than just
showing the fixed priorities?
[question added by oleg]: that's a bit of information which I actually
found in the docs ;-)
Martin Oberhuber, Senior Member of Technical
Staff, Wind River
Target Management Project
Lead, DSDP PMC Member