Wilfried Woeber, UniVie/ACOnet wrote:
Max Tulyev wrote:
Hi Katie!
Why not just to hide encrypted password from public view (as it done with e-mails)?
Even that is a bad hack which I resent, but eventually I gave in. We had done a similar thing in the past, with a different attribute, and we had to roll back.
And we would have to invent just another flag to undo the hiding. This cannot be kept secret for long, so what? (Not doing that would actually require "everyone" to keep a *local* copy of the hash on backup for inclusion in the next update. That's asking for chaos :-( )
The IRRd software returns the special token "HIDDENCRYPTPW" for the CRYPT-PW value. Note this is 13 characters long and thus a legal CRYPT-PW value. If an update is submitted with this value, the existing CRYPT-PW is left in place. There is a very small chance of a collision with an actual password, but the probability is deemed to be too low to be of concern for this application. Things can get a bit tricky if one has multiple CRYPT-PW passwords. I can go over the algorithm used by IRRd in such cases if anyone cares. -Larry Blunk Merit Network