Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Rick Martin wrote: > First, let me say I'm no expert on sspi. The way I set it up was to not put > the password in the login statement inside wincvs. When you first login you > are prompted for the password. This password is encrypted and stored in the > local registry. That way you don't have to login each time you start WinCVS. > I don't know how strong or what type of encryption is used. Perhaps Tony or > another developer can jump in here. The encryption in the registry is pretty weak (it's the same encryption that pserver uses) but it's pretty hard to steal data out of a registry unless you're already authenticated as the user or an administrator (in both cases if a blackhat gets that far the cvs password is the least of your problems). > Also, I've used Ethereal to watch the TCP packets at the server end. The > initial packets used to negotiate the connection are basically in plain > text. However,the password is not. It is encrypted. The encrypted value is > not the same as what is stored in the registry. Again, I didn't try to test > the strength of the encryption. It's defined by Microsoft. NTLMv2 (which anything newer that NT4 will use) is pretty hard to crack. Not impossible I'm told.. If you are logged onto an active directory it uses Kerberos which is as good as impossible to crack. Tony