user passwords are stored in the fossil repository as plain text instead of a hash.

<hr><i>drh added on 2009-09-12 15:53:03:</i><br>
There are two options:

  1.  User passwords can be stored cleartext in the local database but
      sent over the wire (during sync) as a hash.

  2.  User passwords are stored has a hash in the local database but are
      sent in the clear over the wire during a sync.

We believe that (1) is the better choice since it requires an attacker to
be able to see the local database in order to find passwords, and if the
attacker can see the local database, then he has already compromised the
machine.  But with (2), the attack need only passively monitor network
communications in order to steal passwords.

<hr><i>rwilson added on 2009-09-14 16:40:15:</i><br>
there should be some 'best practice faq' for fossil then, because if i store the same username/password in my local repository as is in the remote repository, then compromising my local also compromises the remote.  also, i assumed that fossil was storing a hash of my password, so i chose a password that i use frequently on the internet.  so, now that you know what that is, please don't drain my checking account.

<hr><i>drh added on 2009-09-14 19:19:08:</i><br>
New "scrub" command remove private information from a repository.
Check-in [6c6a978a537]

<hr><i>rwilson added on 2010-01-10 04:54:59:</i><br>
fixed in [cfe33dcf92] - hurray!