Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proxy Password Stored in Cleartext
-
Hi,
When setting up the proxy configuration in ProGet 3.0.3 I've noticed that the authentication password is stored in clear text in the database. Are there any plans to change this behavior to store all passwords encrypted?
Thanks
StefanProduct: ProGet
Version: 3.0.3
-
We can change this so encryption is supported for this field and the SMTP password, however, that still wouldn't stop a determined attacker. We recommend using Windows proxy settings if security is a concern.
Note that built-in user (i.e. non-LDAP) passwords are already stored as hashed/salted values, not plain text. There are no other passwords stored in ProGet at the moment.
-
Hi Tod,
Thanks a lot for the quick reply. I agree that encrypting the proxy and SMTP password would not stop a determined hacker. However, it would at least hide the set password better from people who have access to the database and from ProGet administrators. Currently, the proxy password is also displayed clear text in the Advanced Settings administration screen. Hence, I must share the proxy password with all ProGet administrators.
Using the Windows Proxy settings unfortunately did not work with how our company network is setup.
Thanks!
-
Hi Tod,
Do you think it's possible to at least mask the password in the Advanced Settings screen? This way it is also consistent with the proxy configuration screen where the password is masked.
Best regards,
Stefan
-
We can start by masking it as a quick hack, but can encrypt it in a future version as well.
-
That sounds great, thanks a lot!