Some tools use cleartext passwords, which can pose a security risk. The security risk is even greater if you use LDAP or other external authentication, since you expose your SSO password in cleartext and that password is likely to be used for other services.
For example, Maven uses cleartext passwords in the settings.xml
file by default.
Using Maven's built-in support for encrypted passwords and generating passwords on the client side does not overcome the security risks for the following reasons:
The login password is decrypted on the client side and ends up as cleartext in memory, and then transmitted over the wire (unless forcing SSL too).
The master password used for decryption is stored in clear text on the file system.
Password encryption is left to the good will of the end-user and there is no way to centrally mandate it.
A unique solution is provided for this problem by generating encrypted passwords for users based on secret keys stored in the system. You can ensure users' shared passwords are never stored or transmitted as clear text.
WebUI Changes implemented in Artifactory 7.38.x and above
Security is now called Authentication Providers. All the relevant text and images on this page have been updated to reflect this change.
The security Settings previously found under the Security tab have moved to User Management.
You can set a central policy for using or accepting encrypted passwords in the Administration module under User Management | Settings by setting the Password Encryption Policy field.
The behavior according to the Password Encryption Policy setting is as follows:
Password Encryption Policy Setting | Description |
---|---|
Supported | The system can receive requests with encrypted passwords (default). |
Required | The system requires an encrypted password for every authenticated request. |
Unsupported | The system rejects requests with encrypted passwords. |