Privacy and passwords

Keith A. Milner kamilner at superlative.org
Wed Mar 5 12:40:31 EST 2008 

On Wednesday 05 March 2008 16:46:08 Charles Day wrote:
> Windows may allow separate accounts, they are really only to keep personal
> preferences and files from commingling. Even with separate accounts,
> user-level file protection isn't turned on by default. And even when turned
> on, the files are not encrypted and anyone with a bootable CD can see
> whatever they like. That's why products like Quicken and Money encrypt and
> password-protect their files. It's not irrelevant or valueless.

I wasn't aware of the Windows scenario. I rarely use Windows and when I do 
it's on machines which have been properly secured.

On my own network, the users cannot easily see each other's files. I could 
improve things to make it nearly impossible for even an advanced user, but 
the steps I have taken are adequate for the environment and the users. 
There's security holes, but I know what they are and what the risk and 
consequences of exploitation is, and this is acceptable to me at the moment.

There's a certain degree of convenience mandates my security policy, and I 
think that's common with everyone.

In a nutshell, I accept security is my responsibility.

I agree with the encrypted-password protected capability not being irrelevant 
or valueless, but that's not what we're talking about here.

I think the issue here is about whether it's sensible to expend time and 
effort on the development of a security "anti-pattern" when there are 
existing security capabilities which can meet the same requirements. These 
may not be perfect or complete, but they can work and provide some protection 
and aren't difficult for ordinary users to implement if they are truly 
concerned about their data.

Anyone who doesn't even use these existing tools clearly isn't that concerned 
about their data security in the first place.

<SNIP>

> That said, a password feature that didn't also include encryption is purely
> theater, and would only stop the nosy and incompetent. Even though that's
> no small population, I don't think theater is worth pursuing, for the same
> reasons most of you have expressed.

Indeed!

Cheers,

-- 
Keith A. Milner

More information about the gnucash-user mailing list