winboat icon indicating copy to clipboard operation
winboat copied to clipboard
verified publisher icon TibixDev

Default to randomised password and warn user about password being stored in plaintext

Open auri-f5bde6 opened this issue 2 months ago • 9 comments

Partially solve #235

auri-f5bde6 avatar Oct 27 '25 22:10 auri-f5bde6

I don't think requiring "word-list" package is necessary. You could simply generate random characters by randomize number between 97-122 then convert that ascii value to a char String.fromCharCode(ascii_code)

I was told by @TibixDev to use the npm package, but I do somewhat agree (that's why I had the eff text list originally). As for the second point, I opted for word/memorisable password, just in the odd case where a user might want to log into their VM though ways other than winboat. In that case, memorisable password would be a lot easier to type and remeber.

auri-f5bde6 avatar Oct 27 '25 23:10 auri-f5bde6

I don't think requiring "word-list" package is necessary. You could simply generate random characters by randomize number between 97-122 then convert that ascii value to a char String.fromCharCode(ascii_code)

I was told by @TibixDev to use the npm package, but I do somewhat agree (that's why I had the eff text list originally). As for the second point, I opted for word/memorisable password, just in the odd case where a user might want to log into their VM though ways other than winboat. In that case, memorisable password would be a lot easier to type and remeber.

How about instead of word, generate random 6 digits?

DamienStaebler avatar Oct 27 '25 23:10 DamienStaebler

Or we can just default the password to winboat, which achieves the same goal. But, there's also a possibility the user may wanna remotely connect to the VM, in which case, having a reasonably safe password would be a lot better as a default.

auri-f5bde6 avatar Oct 27 '25 23:10 auri-f5bde6

True, in that cause then user should choose their own password. Have a default password "winboat", give user warning and understand the risk. And give them the option to change default password to something else.

DamienStaebler avatar Oct 27 '25 23:10 DamienStaebler

p.s. just realised the program doesn't even run with the npm packages, not sure how I missed that

auri-f5bde6 avatar Oct 27 '25 23:10 auri-f5bde6

True, in that cause then user should choose their own password. Have a default password "winboat", give user warning and understand the risk. And give them the option to change default password to something else.

In my opinion, memorable password is a good middle ground, but, perhaps. I just think the default should be reasonably safe, just in case if the user didn't read properly.

auri-f5bde6 avatar Oct 27 '25 23:10 auri-f5bde6

But yeah! Thanks for the feedback, I'll have a think about it!

auri-f5bde6 avatar Oct 27 '25 23:10 auri-f5bde6

If we merge https://github.com/TibixDev/winboat/pull/383 there's no need to warn user about plaintext password

gabrielecabrini avatar Nov 05 '25 07:11 gabrielecabrini

If we merge https://github.com/TibixDev/winboat/pull/383 there's no need to warn user about plaintext password

Hmm, but in my opinion, it doesn't change the fact that it's stored in plaintext in compose.yml regardless, so there should be a warning still.

auri-f5bde6 avatar Nov 05 '25 08:11 auri-f5bde6