Andreas Kahari wrote:
On Wed, Oct 29, 2008 at 10:10:38AM +0000, Dave Howorth wrote:
It's my understanding (though I am not a lawyer :) that storing a
username together with a password consitutes 'private data' and that any
database or other mechanism used to store that information would
therefore need to be registered with your organisation and be audited. I
also understand that ignoring the requirement is a sacking offence, at
least where I work.
Most password authentication software does not store plain text
passwords, only checksums (e.g. MD5 or SHA1) of passwords. This is the
case on modern UNIX and UNIX-like operating systems (for user login
authentication) as well as for most software systems supporting password
authentication, for example Apache (see manual for htpasswd).
It's not 100% clear whether this qualifies as "does not need to be
audited" or "would pass audit". It would come down to what exactly is
considered "private data", according to local policy.
_______________________________________________
DAS mailing list
[email protected]
http://lists.open-bio.org/mailman/listinfo/das
