Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Thanks for the info, Tony. Rick "Tony Hoyle" <tmh at nodomain.org> wrote in message news:d3mknb$rah$1 at paris.nodomain.org... > Rick Martin wrote: >> First, let me say I'm no expert on sspi. The way I set it up was to not >> put the password in the login statement inside wincvs. When you first >> login you are prompted for the password. This password is encrypted and >> stored in the local registry. That way you don't have to login each time >> you start WinCVS. I don't know how strong or what type of encryption is >> used. Perhaps Tony or another developer can jump in here. > > The encryption in the registry is pretty weak (it's the same encryption > that pserver uses) but it's pretty hard to steal data out of a registry > unless you're already authenticated as the user or an administrator (in > both cases if a blackhat gets that far the cvs password is the least of > your problems). > >> Also, I've used Ethereal to watch the TCP packets at the server end. The >> initial packets used to negotiate the connection are basically in plain >> text. However,the password is not. It is encrypted. The encrypted value >> is not the same as what is stored in the registry. Again, I didn't try to >> test the strength of the encryption. > > It's defined by Microsoft. NTLMv2 (which anything newer that NT4 will > use) is pretty hard to crack. Not impossible I'm told.. If you are logged > onto an active directory it uses Kerberos which is as good as impossible > to crack. > > Tony