From: "trevor" <trevor / idvertise.com>
>
> ok, again i'm a bit confused by this.  (sorry if it has been discussed, 
> i did a search and could not find an answer)
> 
> so if that is the case, why does basically every other password 
> mechanism i can think of not just use plain text, and just rely on 
> having "correct file permissions".  I'm curious then, where does mysql 
> store its username and passwords?  are they available in plaintext 
> somewhere on my harddrive too?
> 
> i'm not being sarcastic...i just don't quite get it...

It's kind of a client vs. server issue.  The server (the database in this
case) can indeed store passwords in some hashed representation.

But the client (rails in this case) has to connect to the database and
send the clear password to the database.

So, the best rails (as a client of the database) could do, is attempt
to obscure the password (as the CVS client does in its .cvspass files.)

But obscuring the password on the client side is not really secure,
because the client has to be able to turn the obscured password back
into cleartext in order to gain access to the server (the database.)

So if the passwords are merely obscured, and your file permissions
are wrong, then anybody who can see the obscured passwords can
turn them back into cleartext with the same algorithm the legitimate
client must use in order to supply the password to the server.

So file permissions are really the only real defense (that i know of)
against passwords on the client side being seen by unauthorized
entities.


Regards,

Bill