drh added on 2009-09-12 15:53:03:
There are two options:

1. User passwords can be stored cleartext in the local database but sent over the wire (during sync) as a hash.

2. User passwords are stored has a hash in the local database but are sent in the clear over the wire during a sync.

We believe that (1) is the better choice since it requires an attacker to be able to see the local database in order to find passwords, and if the attacker can see the local database, then he has already compromised the machine. But with (2), the attack need only passively monitor network communications in order to steal passwords.

rwilson added on 2009-09-14 16:40:15:
there should be some 'best practice faq' for fossil then, because if i store the same username/password in my local repository as is in the remote repository, then compromising my local also compromises the remote. also, i assumed that fossil was storing a hash of my password, so i chose a password that i use frequently on the internet. so, now that you know what that is, please don't drain my checking account.

drh added on 2009-09-14 19:19:08:
New "scrub" command remove private information from a repository. Check-in 6c6a978a537