Re: JSON-RPC password

Quote from: lachesis on July 23, 2010, 18:22:08
The password definitely shouldn’t be required.

I strongly disagree; software should be secure by default, and running bitcoind without a password (or bitcoin -server) is definitely NOT secure.

I just don’t see somebody saying “Man, Bitcoin sucks because I have to add a password to a configuration file before running it as a daemon.” I can see somebody saying “Man, Bitcoin sucks because I accidently ran it with the -server switch and somebody stole all my money.”

I don’t think authentication should be disabled by default if there’s no conf file or the config file doesn’t contain “rpcpassword”, but what if it contains “rpcpassword=”?

I can see both points.

What if the programmer can’t figure out how to do HTTP authentication in their language (Fortran or whatever) or it’s not even supported by their JSON-RPC library?  Should they be able to explicitly disable the password requirement?

OTOH, what if there’s a template conf file, with
rpcpassword=  # fill in a password here

There are many systems that don’t allow you to log in without a password.  This forum, for instance.  Gavin’s point seems stronger.

BTW, I haven’t tested it, but I hope having rpcpassword=  in the conf file is valid.  It’s only if you use -server or -daemon or bitcoind that it should fail with a warning.  If it doesn’t need the password, it should be fine.  Is that right?

48,424 total views, 22 views today