Sunday, 7 July 2019

security - Should I be concerned if my Git hosting provider stores passwords in plaintext?


I found a comment on Reddit suggesting that ProjectLocker, a free Git host, stores their passwords in plain text.


I don't know



  • (a) if this is true

  • (b) how to verify it or

  • (c) how worried I should be if it's correct.


Could this mean that it would be trivially easy for someone to get into one of my private code repositories?



Answer



I work at ProjectLocker, and I'd like to add some clarity to this thread. First, to answer the OP's questions:


a) This rumor is not true. ProjectLocker doesn't store passwords in plaintext.


b) You can't verify this for ProjectLocker or any other website without access to their backend systems.


c) I'd be fairly worried. However, I would be pretty surprised to find that any of the major Subversion hosting or Git hosting sites store plaintext passwords. It's just a bad idea.


Incidentally, all Git access at ProjectLocker uses public-key authentication and no passwords.


As others have pointed out, ProjectLocker does allow users to retrieve lost passwords. We do this by storing passwords encrypted with a two-way function. (If you ever check the "save this card for later" box on an ecommerce website, your credit card is stored that way. Same thing goes for subscription sites that bill periodically, such as Netflix.) In general, we treat passwords as sensitive data, like credit cards or customer artifacts (code, etc.). There's a fair philosophical debate about whether sites should store passwords in retrievable format, but feedback from our users indicated that they prefer retrievable passwords.


As to the post on Reddit, I can say that the poster has never worked at ProjectLocker and has no actual knowledge of our authentication systems. The poster most likely is not familiar with two-way functions, and is mistakenly confusing "reversible" with "plaintext."


Finally, if you are considering hosting your code with a third party, and you do not trust their answers to a question like this, you should definitely not store your code there. If you don't trust your host, you shouldn't use them at all, regardless of how they store your password.


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...