Bobby Bissett wrote on 05/ 4/10 11:53 AM:
> On Apr 28, 2010, at 7:12 PM, Bill Shannon wrote:
>> [...]
>> And remember, if someone uses the --savemasterpassword option, the
>> password will be stored in clear text in the file. This is not new.
>
> When I try this, I don't see the password stored anywhere in clear text
> (but it's working as I'm not prompted for master password at startup).
> Can you point me to where it's stored?
Sorry, you're right, it's stored in a keystore encrypted with a fixed key.
Obscured, but not secure.
> If it's not stored in the clear, then the most secure thing the upgrade
> tool can do is have users use the --storemasterpassword option before
> running an upgrade if it's not the default. Then they could change the
> password again without it after the upgrade. That means I could rip the
> credentials code out of the tool, and the security problem turns into a
> minor doc change.
>
> Does anyone besides me like that idea? ("Nice try, Bobby" is an
> acceptable answer.)
That's probably fine for people who don't trust the upgrade tool to
manage the master password for them during the upgrade, but seems like
you still ought to handle the case where the user is willing to type
the master password to the upgrade tool.